You are viewing a plain text version of this content. The canonical link for it is here.
Posted to kerby@directory.apache.org by Colm O hEigeartaigh <co...@apache.org> on 2017/08/01 08:41:38 UTC
Re: directory-kerby git commit: DIRKRB-640 mplement renew ticket in
kinit tool.
Hi Jiajia,
Just a reminder that you need to git cherry-pick this merge on the
1.0.x-fixes branch as well..
Thanks,
Colm.
On Tue, Aug 1, 2017 at 5:51 AM, <pl...@apache.org> wrote:
> Repository: directory-kerby
> Updated Branches:
> refs/heads/trunk f8f95ab14 -> 05be35035
>
>
> DIRKRB-640 mplement renew ticket in kinit tool.
>
>
> Project: http://git-wip-us.apache.org/repos/asf/directory-kerby/repo
> Commit: http://git-wip-us.apache.org/repos/asf/directory-kerby/
> commit/05be3503
> Tree: http://git-wip-us.apache.org/repos/asf/directory-kerby/tree/05be3503
> Diff: http://git-wip-us.apache.org/repos/asf/directory-kerby/diff/05be3503
>
> Branch: refs/heads/trunk
> Commit: 05be350353af3d2dad957314c9e82adc27674bff
> Parents: f8f95ab
> Author: plusplusjiajia <ji...@intel.com>
> Authored: Tue Aug 1 12:51:27 2017 +0800
> Committer: plusplusjiajia <ji...@intel.com>
> Committed: Tue Aug 1 12:51:27 2017 +0800
>
> ----------------------------------------------------------------------
> .../kerberos/kerb/client/KrbClientBase.java | 96 ++++++++++++++++++++
> .../kerb/client/request/ArmoredRequest.java | 2 +-
> .../kerberos/kerb/client/request/AsRequest.java | 2 +-
> .../kerb/client/request/AsRequestWithCert.java | 2 +-
> .../kerb/client/request/KdcRequest.java | 21 +++--
> .../kerb/client/request/TgsRequest.java | 4 +-
> .../kerb/client/request/TgsRequestWithTgt.java | 8 +-
> .../kerberos/kerb/type/ticket/SgtTicket.java | 11 +++
> .../kerberos/kerb/ccache/CredentialCache.java | 7 ++
> .../kerby/kerberos/tool/kinit/KinitTool.java | 58 +++++++++---
> 10 files changed, 182 insertions(+), 29 deletions(-)
> ----------------------------------------------------------------------
>
>
> http://git-wip-us.apache.org/repos/asf/directory-kerby/
> blob/05be3503/kerby-kerb/kerb-client/src/main/java/org/
> apache/kerby/kerberos/kerb/client/KrbClientBase.java
> ----------------------------------------------------------------------
> diff --git a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/
> kerberos/kerb/client/KrbClientBase.java b/kerby-kerb/kerb-client/src/
> main/java/org/apache/kerby/kerberos/kerb/client/KrbClientBase.java
> index 959f38b..d05fee2 100644
> --- a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/
> kerberos/kerb/client/KrbClientBase.java
> +++ b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/
> kerberos/kerb/client/KrbClientBase.java
> @@ -21,9 +21,11 @@ package org.apache.kerby.kerberos.kerb.client;
>
> import org.apache.kerby.KOptions;
> import org.apache.kerby.kerberos.kerb.KrbException;
> +import org.apache.kerby.kerberos.kerb.ccache.Credential;
> import org.apache.kerby.kerberos.kerb.ccache.CredentialCache;
> import org.apache.kerby.kerberos.kerb.client.impl.
> DefaultInternalKrbClient;
> import org.apache.kerby.kerberos.kerb.client.impl.InternalKrbClient;
> +import org.apache.kerby.kerberos.kerb.type.kdc.EncAsRepPart;
> import org.apache.kerby.kerberos.kerb.type.ticket.SgtTicket;
> import org.apache.kerby.kerberos.kerb.type.ticket.TgtTicket;
> import org.slf4j.Logger;
> @@ -211,6 +213,27 @@ public class KrbClientBase {
> }
>
> /**
> + * Request a service ticket
> + * @param ccFile The credential cache file
> + * @return service ticket
> + * @throws KrbException e
> + */
> + public SgtTicket requestSgt(File ccFile) throws KrbException {
> + Credential credential = getCredentialFromFile(ccFile);
> + String servicePrincipal = credential.
> getServicePrincipal().getName();
> + TgtTicket tgt = getTgtTicketFromCredential(credential);
> +
> + KOptions requestOptions = new KOptions();
> + requestOptions.add(KrbKdcOption.RENEW);
> + requestOptions.add(KrbOption.USE_TGT, tgt);
> + requestOptions.add(KrbOption.SERVER_PRINCIPAL, servicePrincipal);
> + SgtTicket sgtTicket = innerClient.requestSgt(requestOptions);
> + sgtTicket.setClientPrincipal(tgt.getClientPrincipal());
> + return sgtTicket;
> + }
> +
> +
> + /**
> * Store tgt into the specified credential cache file.
> * @param tgtTicket The tgt ticket
> * @param ccacheFile The credential cache file
> @@ -248,4 +271,77 @@ public class KrbClientBase {
> + "not exist or writable: " +
> ccacheFile.getAbsolutePath());
> }
> }
> +
> + /**
> + * Store sgt into the specified credential cache file.
> + * @param sgtTicket The sgt ticket
> + * @param ccacheFile The credential cache file
> + * @throws KrbException e
> + */
> + public void storeTicket(SgtTicket sgtTicket, File ccacheFile) throws
> KrbException {
> + LOG.info("Storing the sgt to the credential cache file.");
> + if (!ccacheFile.exists()) {
> + try {
> + if (!ccacheFile.createNewFile()) {
> + throw new KrbException("Failed to create ccache file "
> + + ccacheFile.getAbsolutePath());
> + }
> + // sets read-write permissions to owner only
> + ccacheFile.setReadable(false, false);
> + ccacheFile.setReadable(true, true);
> + if (!ccacheFile.setWritable(true, true)) {
> + throw new KrbException("Cache file is not readable.");
> + }
> + } catch (IOException e) {
> + throw new KrbException("Failed to create ccache file "
> + + ccacheFile.getAbsolutePath(), e);
> + }
> + }
> + if (ccacheFile.exists() && ccacheFile.canWrite()) {
> + CredentialCache cCache = new CredentialCache(sgtTicket);
> + try {
> + cCache.store(ccacheFile);
> + } catch (IOException e) {
> + throw new KrbException("Failed to store tgt", e);
> + }
> + } else {
> + throw new IllegalArgumentException("Invalid ccache file, "
> + + "not exist or writable: " +
> ccacheFile.getAbsolutePath());
> + }
> + }
> +
> + public TgtTicket getTgtTicketFromCredential(Credential cc) {
> + EncAsRepPart encAsRepPart = new EncAsRepPart();
> + encAsRepPart.setAuthTime(cc.getAuthTime());
> + encAsRepPart.setCaddr(cc.getClientAddresses());
> + encAsRepPart.setEndTime(cc.getEndTime());
> + encAsRepPart.setFlags(cc.getTicketFlags());
> + encAsRepPart.setKey(cc.getKey());
> +// encAsRepPart.setKeyExpiration();
> +// encAsRepPart.setLastReq();
> +// encAsRepPart.setNonce();
> + encAsRepPart.setRenewTill(cc.getRenewTill());
> + encAsRepPart.setSname(cc.getServerName());
> + encAsRepPart.setSrealm(cc.getServerName().getRealm());
> + encAsRepPart.setStartTime(cc.getStartTime());
> + TgtTicket tgtTicket = new TgtTicket(cc.getTicket(), encAsRepPart,
> cc.getClientName());
> + return tgtTicket;
> + }
> +
> + public Credential getCredentialFromFile(File ccFile) throws
> KrbException {
> + CredentialCache cc;
> + try {
> + cc = resolveCredCache(ccFile);
> + } catch (IOException e) {
> + throw new KrbException("Failed to load armor cache file");
> + }
> + return cc.getCredentials().iterator().next();
> + }
> +
> + public CredentialCache resolveCredCache(File ccacheFile) throws
> IOException {
> + CredentialCache cc = new CredentialCache();
> + cc.load(ccacheFile);
> +
> + return cc;
> + }
> }
>
> http://git-wip-us.apache.org/repos/asf/directory-kerby/
> blob/05be3503/kerby-kerb/kerb-client/src/main/java/org/
> apache/kerby/kerberos/kerb/client/request/ArmoredRequest.java
> ----------------------------------------------------------------------
> diff --git a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/
> kerberos/kerb/client/request/ArmoredRequest.java
> b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/
> kerberos/kerb/client/request/ArmoredRequest.java
> index a052518..b7113a5 100644
> --- a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/
> kerberos/kerb/client/request/ArmoredRequest.java
> +++ b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/
> kerberos/kerb/client/request/ArmoredRequest.java
> @@ -233,7 +233,7 @@ public class ArmoredRequest {
> authenticator.setCusec(0);
> authenticator.setSubKey(subKey);
>
> - KdcReqBody reqBody = kdcRequest.getReqBody();
> + KdcReqBody reqBody = kdcRequest.getReqBody(null);
> CheckSum checksum = CheckSumUtil.seal(reqBody, null,
> subKey, KeyUsage.TGS_REQ_AUTH_CKSUM);
> authenticator.setCksum(checksum);
>
> http://git-wip-us.apache.org/repos/asf/directory-kerby/
> blob/05be3503/kerby-kerb/kerb-client/src/main/java/org/
> apache/kerby/kerberos/kerb/client/request/AsRequest.java
> ----------------------------------------------------------------------
> diff --git a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/
> kerberos/kerb/client/request/AsRequest.java b/kerby-kerb/kerb-client/src/
> main/java/org/apache/kerby/kerberos/kerb/client/request/AsRequest.java
> index 7f35d87..d72d46c 100644
> --- a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/
> kerberos/kerb/client/request/AsRequest.java
> +++ b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/
> kerberos/kerb/client/request/AsRequest.java
> @@ -74,7 +74,7 @@ public class AsRequest extends KdcRequest {
> public void process() throws KrbException {
> super.process();
>
> - KdcReqBody body = getReqBody();
> + KdcReqBody body = getReqBody(null);
>
> AsReq asReq = new AsReq();
> asReq.setReqBody(body);
>
> http://git-wip-us.apache.org/repos/asf/directory-kerby/
> blob/05be3503/kerby-kerb/kerb-client/src/main/java/org/
> apache/kerby/kerberos/kerb/client/request/AsRequestWithCert.java
> ----------------------------------------------------------------------
> diff --git a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/
> kerberos/kerb/client/request/AsRequestWithCert.java
> b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/
> kerberos/kerb/client/request/AsRequestWithCert.java
> index a1f1725..fae5c80 100644
> --- a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/
> kerberos/kerb/client/request/AsRequestWithCert.java
> +++ b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/
> kerberos/kerb/client/request/AsRequestWithCert.java
> @@ -43,7 +43,7 @@ public class AsRequestWithCert extends AsRequest {
>
> @Override
> public void process() throws KrbException {
> - KdcReqBody body = getReqBody();
> + KdcReqBody body = getReqBody(null);
> AsReq asReq = new AsReq();
> asReq.setReqBody(body);
> setKdcReq(asReq);
>
> http://git-wip-us.apache.org/repos/asf/directory-kerby/
> blob/05be3503/kerby-kerb/kerb-client/src/main/java/org/
> apache/kerby/kerberos/kerb/client/request/KdcRequest.java
> ----------------------------------------------------------------------
> diff --git a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/
> kerberos/kerb/client/request/KdcRequest.java b/kerby-kerb/kerb-client/src/
> main/java/org/apache/kerby/kerberos/kerb/client/request/KdcRequest.java
> index 8b88097..7c241ab 100644
> --- a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/
> kerberos/kerb/client/request/KdcRequest.java
> +++ b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/
> kerberos/kerb/client/request/KdcRequest.java
> @@ -158,9 +158,9 @@ public abstract class KdcRequest {
> this.kdcReq = kdcReq;
> }
>
> - protected KdcReqBody getReqBody() throws KrbException {
> + protected KdcReqBody getReqBody(KerberosTime renewTill) throws
> KrbException {
> if (reqBody == null) {
> - reqBody = makeReqBody();
> + reqBody = makeReqBody(renewTill);
> }
>
> return reqBody;
> @@ -174,7 +174,7 @@ public abstract class KdcRequest {
> this.kdcRep = kdcRep;
> }
>
> - protected KdcReqBody makeReqBody() throws KrbException {
> + protected KdcReqBody makeReqBody(KerberosTime renewTill) throws
> KrbException {
> KdcReqBody body = new KdcReqBody();
>
> long startTime = System.currentTimeMillis();
> @@ -190,13 +190,18 @@ public abstract class KdcRequest {
>
> body.setTill(new KerberosTime(startTime + getTicketValidTime()));
>
> - long renewLifetime;
> - if (getRequestOptions().contains(KrbOption.RENEWABLE_TIME)) {
> - renewLifetime = getRequestOptions().
> getIntegerOption(KrbOption.RENEWABLE_TIME);
> + KerberosTime rtime;
> + if (renewTill != null) {
> + rtime = renewTill;
> } else {
> - renewLifetime = getContext().getKrbSetting().getKrbConfig().
> getRenewLifetime();
> + long renewLifetime;
> + if (getRequestOptions().contains(KrbOption.RENEWABLE_TIME)) {
> + renewLifetime = getRequestOptions().
> getIntegerOption(KrbOption.RENEWABLE_TIME);
> + } else {
> + renewLifetime = getContext().getKrbSetting().
> getKrbConfig().getRenewLifetime();
> + }
> + rtime = new KerberosTime(startTime + renewLifetime * 1000);
> }
> - KerberosTime rtime = new KerberosTime(startTime + renewLifetime *
> 1000);
> body.setRtime(rtime);
>
> int nonce = generateNonce();
>
> http://git-wip-us.apache.org/repos/asf/directory-kerby/
> blob/05be3503/kerby-kerb/kerb-client/src/main/java/org/
> apache/kerby/kerberos/kerb/client/request/TgsRequest.java
> ----------------------------------------------------------------------
> diff --git a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/
> kerberos/kerb/client/request/TgsRequest.java b/kerby-kerb/kerb-client/src/
> main/java/org/apache/kerby/kerberos/kerb/client/request/TgsRequest.java
> index 8e2526e..8e650b8 100644
> --- a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/
> kerberos/kerb/client/request/TgsRequest.java
> +++ b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/
> kerberos/kerb/client/request/TgsRequest.java
> @@ -67,7 +67,7 @@ public class TgsRequest extends KdcRequest {
>
> TgsReq tgsReq = new TgsReq();
>
> - KdcReqBody tgsReqBody = getReqBody();
> + KdcReqBody tgsReqBody = getReqBody(null);
> tgsReq.setReqBody(tgsReqBody);
> tgsReq.setPaData(getPreauthContext().getOutputPaData());
>
> @@ -79,7 +79,7 @@ public class TgsRequest extends KdcRequest {
> setKdcRep(kdcRep);
>
> TgsRep tgsRep = (TgsRep) getKdcRep();
> - EncTgsRepPart encTgsRepPart = null;
> + EncTgsRepPart encTgsRepPart;
> try {
> encTgsRepPart = EncryptionUtil.unseal(tgsRep.
> getEncryptedEncPart(),
> getSessionKey(),
>
> http://git-wip-us.apache.org/repos/asf/directory-kerby/
> blob/05be3503/kerby-kerb/kerb-client/src/main/java/org/
> apache/kerby/kerberos/kerb/client/request/TgsRequestWithTgt.java
> ----------------------------------------------------------------------
> diff --git a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/
> kerberos/kerb/client/request/TgsRequestWithTgt.java
> b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/
> kerberos/kerb/client/request/TgsRequestWithTgt.java
> index ee3151c..5f2e58a 100644
> --- a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/
> kerberos/kerb/client/request/TgsRequestWithTgt.java
> +++ b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/
> kerberos/kerb/client/request/TgsRequestWithTgt.java
> @@ -21,6 +21,7 @@ package org.apache.kerby.kerberos.kerb.client.request;
>
> import org.apache.kerby.kerberos.kerb.KrbException;
> import org.apache.kerby.kerberos.kerb.client.KrbContext;
> +import org.apache.kerby.kerberos.kerb.client.KrbKdcOption;
> import org.apache.kerby.kerberos.kerb.common.CheckSumUtil;
> import org.apache.kerby.kerberos.kerb.common.EncryptionUtil;
> import org.apache.kerby.kerberos.kerb.type.KerberosTime;
> @@ -92,8 +93,13 @@ public class TgsRequestWithTgt extends TgsRequest {
> authenticator.setCtime(KerberosTime.now());
> authenticator.setCusec(0);
> authenticator.setSubKey(tgt.getSessionKey());
> + KerberosTime renewTill = null;
> +
> + if (getRequestOptions().contains(KrbKdcOption.RENEW)) {
> + renewTill = tgt.getEncKdcRepPart().getRenewTill();
> + }
> + KdcReqBody reqBody = getReqBody(renewTill);
>
> - KdcReqBody reqBody = getReqBody();
> CheckSum checksum = CheckSumUtil.seal(reqBody, null,
> tgt.getSessionKey(), KeyUsage.TGS_REQ_AUTH_CKSUM);
> authenticator.setCksum(checksum);
>
> http://git-wip-us.apache.org/repos/asf/directory-kerby/
> blob/05be3503/kerby-kerb/kerb-core/src/main/java/org/apache/
> kerby/kerberos/kerb/type/ticket/SgtTicket.java
> ----------------------------------------------------------------------
> diff --git a/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/
> kerberos/kerb/type/ticket/SgtTicket.java b/kerby-kerb/kerb-core/src/
> main/java/org/apache/kerby/kerberos/kerb/type/ticket/SgtTicket.java
> index 86cdf1e..05c0485 100644
> --- a/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/
> kerberos/kerb/type/ticket/SgtTicket.java
> +++ b/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/
> kerberos/kerb/type/ticket/SgtTicket.java
> @@ -19,13 +19,24 @@
> */
> package org.apache.kerby.kerberos.kerb.type.ticket;
>
> +import org.apache.kerby.kerberos.kerb.type.base.PrincipalName;
> import org.apache.kerby.kerberos.kerb.type.kdc.EncTgsRepPart;
>
> /**
> * Service granting ticket.
> */
> public class SgtTicket extends KrbTicket {
> + private PrincipalName clientPrincipal;
> +
> public SgtTicket(Ticket ticket, EncTgsRepPart encKdcRepPart) {
> super(ticket, encKdcRepPart);
> }
> +
> + public PrincipalName getClientPrincipal() {
> + return clientPrincipal;
> + }
> +
> + public void setClientPrincipal(PrincipalName clientPrincipal) {
> + this.clientPrincipal = clientPrincipal;
> + }
> }
>
> http://git-wip-us.apache.org/repos/asf/directory-kerby/
> blob/05be3503/kerby-kerb/kerb-util/src/main/java/org/apache/
> kerby/kerberos/kerb/ccache/CredentialCache.java
> ----------------------------------------------------------------------
> diff --git a/kerby-kerb/kerb-util/src/main/java/org/apache/kerby/
> kerberos/kerb/ccache/CredentialCache.java b/kerby-kerb/kerb-util/src/
> main/java/org/apache/kerby/kerberos/kerb/ccache/CredentialCache.java
> index 0a56626..f742649 100644
> --- a/kerby-kerb/kerb-util/src/main/java/org/apache/kerby/
> kerberos/kerb/ccache/CredentialCache.java
> +++ b/kerby-kerb/kerb-util/src/main/java/org/apache/kerby/
> kerberos/kerb/ccache/CredentialCache.java
> @@ -20,6 +20,7 @@
> package org.apache.kerby.kerberos.kerb.ccache;
>
> import org.apache.kerby.kerberos.kerb.type.base.PrincipalName;
> +import org.apache.kerby.kerberos.kerb.type.ticket.SgtTicket;
> import org.apache.kerby.kerberos.kerb.type.ticket.TgtTicket;
> import org.apache.kerby.kerberos.kerb.type.ticket.Ticket;
>
> @@ -53,6 +54,12 @@ public class CredentialCache implements
> KrbCredentialCache {
> setPrimaryPrincipal(tgt.getClientPrincipal());
> }
>
> + public CredentialCache(SgtTicket sgt) {
> + this();
> + addCredential(new Credential(sgt, sgt.getClientPrincipal()));
> + setPrimaryPrincipal(sgt.getClientPrincipal());
> + }
> +
> public CredentialCache(Credential credential) {
> this();
> addCredential(credential);
>
> http://git-wip-us.apache.org/repos/asf/directory-kerby/
> blob/05be3503/kerby-tool/client-tool/src/main/java/org/
> apache/kerby/kerberos/tool/kinit/KinitTool.java
> ----------------------------------------------------------------------
> diff --git a/kerby-tool/client-tool/src/main/java/org/apache/kerby/
> kerberos/tool/kinit/KinitTool.java b/kerby-tool/client-tool/src/
> main/java/org/apache/kerby/kerberos/tool/kinit/KinitTool.java
> index 735739e..f2e585c 100644
> --- a/kerby-tool/client-tool/src/main/java/org/apache/kerby/
> kerberos/tool/kinit/KinitTool.java
> +++ b/kerby-tool/client-tool/src/main/java/org/apache/kerby/
> kerberos/tool/kinit/KinitTool.java
> @@ -61,7 +61,7 @@ public class KinitTool {
> + "\tOPTIONS:\n"
> + "\t\t-V verbose\n"
> + "\t\t-l lifetime\n"
> - + "\t\t--s start time\n"
> + + "\t\t-s start time\n"
> + "\t\t-r renewable lifetime\n"
> + "\t\t-f forwardable\n"
> + "\t\t-F not forwardable\n"
> @@ -112,8 +112,7 @@ public class KinitTool {
> return password;
> }
>
> - private static void requestTicket(String principal,
> - KOptions ktOptions) throws
> KrbException {
> + private static void requestTicket(String principal, KOptions
> ktOptions) {
> ktOptions.add(KinitOption.CLIENT_PRINCIPAL, principal);
>
> File confDir = null;
> @@ -121,6 +120,38 @@ public class KinitTool {
> confDir = ktOptions.getDirOption(KinitOption.CONF_DIR);
> }
>
> + KrbClient krbClient = null;
> + try {
> + krbClient = getClient(confDir);
> + } catch (KrbException e) {
> + System.err.println("Create krbClient failed: " +
> e.getMessage());
> + System.exit(1);
> + }
> +
> + if (ktOptions.contains(KinitOption.RENEW)) {
> + if (ktOptions.contains(KinitOption.KRB5_CACHE)) {
> + String ccName = ktOptions.getStringOption(
> KinitOption.KRB5_CACHE);
> + File ccFile = new File(ccName);
> +
> + SgtTicket sgtTicket = null;
> + try {
> + sgtTicket = krbClient.requestSgt(ccFile);
> + } catch (KrbException e) {
> + System.err.println("kinit: " + e.getKrbErrorCode().
> getMessage());
> + }
> +
> + try {
> + krbClient.storeTicket(sgtTicket, ccFile);
> + } catch (KrbException e) {
> + System.err.println("kinit: " + e.getKrbErrorCode().
> getMessage());
> + }
> +
> + System.out.println("Successfully renewed.");
> + }
> + return;
> + }
> +
> +
> if (ktOptions.contains(KinitOption.ANONYMOUS)) {
> ktOptions.add(PkinitOption.USE_ANONYMOUS);
> ktOptions.add(PkinitOption.X509_ANCHORS);
> @@ -131,14 +162,6 @@ public class KinitTool {
> ktOptions.add(KinitOption.USER_PASSWD, password);
> }
>
> - KrbClient krbClient = null;
> - try {
> - krbClient = getClient(confDir);
> - } catch (KrbException e) {
> - System.err.println("Create krbClient failed: " +
> e.getMessage());
> - System.exit(1);
> - }
> -
> TgtTicket tgt = null;
> try {
> tgt = krbClient.requestTgt(convertOptions(ktOptions));
> @@ -168,8 +191,13 @@ public class KinitTool {
> + ccacheFile.getAbsolutePath());
> if (ktOptions.contains(KinitOption.SERVICE)) {
> String servicePrincipal = ktOptions.getStringOption(
> KinitOption.SERVICE);
> - SgtTicket sgtTicket =
> - krbClient.requestSgt(tgt, servicePrincipal);
> + SgtTicket sgtTicket;
> + try {
> + sgtTicket = krbClient.requestSgt(tgt, servicePrincipal);
> + } catch (KrbException e) {
> + System.err.println("kinit: " + e.getKrbErrorCode().
> getMessage());
> + return;
> + }
> System.out.println("Successfully requested the service
> ticket for " + servicePrincipal
> + "\nKey version: " + sgtTicket.getTicket().getTktvno());
> }
> @@ -191,7 +219,7 @@ public class KinitTool {
> return krbClient;
> }
>
> - public static void main(String[] args) throws Exception {
> + public static void main(String[] args) {
> KOptions ktOptions = new KOptions();
> KinitOption kto;
> String principal = null;
> @@ -242,7 +270,7 @@ public class KinitTool {
> if (principal == null) {
> if (ktOptions.contains(KinitOption.ANONYMOUS)) {
> principal = KrbConstant.ANONYMOUS_PRINCIPAL;
> - } else {
> + } else if (!ktOptions.contains(KinitOption.KRB5_CACHE)) {
> printUsage("No principal is specified");
> }
> }
>
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
RE: directory-kerby git commit: DIRKRB-640 mplement renew ticket in
kinit tool.
Posted by "Li, Jiajia" <ji...@intel.com>.
Hi Colm,
Thanks for your reminder, I've merged it to 1.0.x-fixes branch.
Thanks,
Jiajia
-----Original Message-----
From: Colm O hEigeartaigh [mailto:coheigea@apache.org]
Sent: Tuesday, August 1, 2017 4:42 PM
To: Li, Jiajia <ji...@intel.com>; kerby@directory.apache.org
Subject: Re: directory-kerby git commit: DIRKRB-640 mplement renew ticket in kinit tool.
Hi Jiajia,
Just a reminder that you need to git cherry-pick this merge on the 1.0.x-fixes branch as well..
Thanks,
Colm.
On Tue, Aug 1, 2017 at 5:51 AM, <pl...@apache.org> wrote:
> Repository: directory-kerby
> Updated Branches:
> refs/heads/trunk f8f95ab14 -> 05be35035
>
>
> DIRKRB-640 mplement renew ticket in kinit tool.
>
>
> Project: http://git-wip-us.apache.org/repos/asf/directory-kerby/repo
> Commit: http://git-wip-us.apache.org/repos/asf/directory-kerby/
> commit/05be3503
> Tree:
> http://git-wip-us.apache.org/repos/asf/directory-kerby/tree/05be3503
> Diff:
> http://git-wip-us.apache.org/repos/asf/directory-kerby/diff/05be3503
>
> Branch: refs/heads/trunk
> Commit: 05be350353af3d2dad957314c9e82adc27674bff
> Parents: f8f95ab
> Author: plusplusjiajia <ji...@intel.com>
> Authored: Tue Aug 1 12:51:27 2017 +0800
> Committer: plusplusjiajia <ji...@intel.com>
> Committed: Tue Aug 1 12:51:27 2017 +0800
>
> ----------------------------------------------------------------------
> .../kerberos/kerb/client/KrbClientBase.java | 96 ++++++++++++++++++++
> .../kerb/client/request/ArmoredRequest.java | 2 +-
> .../kerberos/kerb/client/request/AsRequest.java | 2 +-
> .../kerb/client/request/AsRequestWithCert.java | 2 +-
> .../kerb/client/request/KdcRequest.java | 21 +++--
> .../kerb/client/request/TgsRequest.java | 4 +-
> .../kerb/client/request/TgsRequestWithTgt.java | 8 +-
> .../kerberos/kerb/type/ticket/SgtTicket.java | 11 +++
> .../kerberos/kerb/ccache/CredentialCache.java | 7 ++
> .../kerby/kerberos/tool/kinit/KinitTool.java | 58 +++++++++---
> 10 files changed, 182 insertions(+), 29 deletions(-)
> ----------------------------------------------------------------------
>
>
> http://git-wip-us.apache.org/repos/asf/directory-kerby/
> blob/05be3503/kerby-kerb/kerb-client/src/main/java/org/
> apache/kerby/kerberos/kerb/client/KrbClientBase.java
> ----------------------------------------------------------------------
> diff --git a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/
> kerberos/kerb/client/KrbClientBase.java b/kerby-kerb/kerb-client/src/
> main/java/org/apache/kerby/kerberos/kerb/client/KrbClientBase.java
> index 959f38b..d05fee2 100644
> --- a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/
> kerberos/kerb/client/KrbClientBase.java
> +++ b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/
> kerberos/kerb/client/KrbClientBase.java
> @@ -21,9 +21,11 @@ package org.apache.kerby.kerberos.kerb.client;
>
> import org.apache.kerby.KOptions;
> import org.apache.kerby.kerberos.kerb.KrbException;
> +import org.apache.kerby.kerberos.kerb.ccache.Credential;
> import org.apache.kerby.kerberos.kerb.ccache.CredentialCache;
> import org.apache.kerby.kerberos.kerb.client.impl.
> DefaultInternalKrbClient;
> import org.apache.kerby.kerberos.kerb.client.impl.InternalKrbClient;
> +import org.apache.kerby.kerberos.kerb.type.kdc.EncAsRepPart;
> import org.apache.kerby.kerberos.kerb.type.ticket.SgtTicket;
> import org.apache.kerby.kerberos.kerb.type.ticket.TgtTicket;
> import org.slf4j.Logger;
> @@ -211,6 +213,27 @@ public class KrbClientBase {
> }
>
> /**
> + * Request a service ticket
> + * @param ccFile The credential cache file
> + * @return service ticket
> + * @throws KrbException e
> + */
> + public SgtTicket requestSgt(File ccFile) throws KrbException {
> + Credential credential = getCredentialFromFile(ccFile);
> + String servicePrincipal = credential.
> getServicePrincipal().getName();
> + TgtTicket tgt = getTgtTicketFromCredential(credential);
> +
> + KOptions requestOptions = new KOptions();
> + requestOptions.add(KrbKdcOption.RENEW);
> + requestOptions.add(KrbOption.USE_TGT, tgt);
> + requestOptions.add(KrbOption.SERVER_PRINCIPAL, servicePrincipal);
> + SgtTicket sgtTicket = innerClient.requestSgt(requestOptions);
> + sgtTicket.setClientPrincipal(tgt.getClientPrincipal());
> + return sgtTicket;
> + }
> +
> +
> + /**
> * Store tgt into the specified credential cache file.
> * @param tgtTicket The tgt ticket
> * @param ccacheFile The credential cache file @@ -248,4 +271,77
> @@ public class KrbClientBase {
> + "not exist or writable: " +
> ccacheFile.getAbsolutePath());
> }
> }
> +
> + /**
> + * Store sgt into the specified credential cache file.
> + * @param sgtTicket The sgt ticket
> + * @param ccacheFile The credential cache file
> + * @throws KrbException e
> + */
> + public void storeTicket(SgtTicket sgtTicket, File ccacheFile)
> + throws
> KrbException {
> + LOG.info("Storing the sgt to the credential cache file.");
> + if (!ccacheFile.exists()) {
> + try {
> + if (!ccacheFile.createNewFile()) {
> + throw new KrbException("Failed to create ccache file "
> + + ccacheFile.getAbsolutePath());
> + }
> + // sets read-write permissions to owner only
> + ccacheFile.setReadable(false, false);
> + ccacheFile.setReadable(true, true);
> + if (!ccacheFile.setWritable(true, true)) {
> + throw new KrbException("Cache file is not readable.");
> + }
> + } catch (IOException e) {
> + throw new KrbException("Failed to create ccache file "
> + + ccacheFile.getAbsolutePath(), e);
> + }
> + }
> + if (ccacheFile.exists() && ccacheFile.canWrite()) {
> + CredentialCache cCache = new CredentialCache(sgtTicket);
> + try {
> + cCache.store(ccacheFile);
> + } catch (IOException e) {
> + throw new KrbException("Failed to store tgt", e);
> + }
> + } else {
> + throw new IllegalArgumentException("Invalid ccache file, "
> + + "not exist or writable: " +
> ccacheFile.getAbsolutePath());
> + }
> + }
> +
> + public TgtTicket getTgtTicketFromCredential(Credential cc) {
> + EncAsRepPart encAsRepPart = new EncAsRepPart();
> + encAsRepPart.setAuthTime(cc.getAuthTime());
> + encAsRepPart.setCaddr(cc.getClientAddresses());
> + encAsRepPart.setEndTime(cc.getEndTime());
> + encAsRepPart.setFlags(cc.getTicketFlags());
> + encAsRepPart.setKey(cc.getKey());
> +// encAsRepPart.setKeyExpiration();
> +// encAsRepPart.setLastReq();
> +// encAsRepPart.setNonce();
> + encAsRepPart.setRenewTill(cc.getRenewTill());
> + encAsRepPart.setSname(cc.getServerName());
> + encAsRepPart.setSrealm(cc.getServerName().getRealm());
> + encAsRepPart.setStartTime(cc.getStartTime());
> + TgtTicket tgtTicket = new TgtTicket(cc.getTicket(),
> +encAsRepPart,
> cc.getClientName());
> + return tgtTicket;
> + }
> +
> + public Credential getCredentialFromFile(File ccFile) throws
> KrbException {
> + CredentialCache cc;
> + try {
> + cc = resolveCredCache(ccFile);
> + } catch (IOException e) {
> + throw new KrbException("Failed to load armor cache file");
> + }
> + return cc.getCredentials().iterator().next();
> + }
> +
> + public CredentialCache resolveCredCache(File ccacheFile) throws
> IOException {
> + CredentialCache cc = new CredentialCache();
> + cc.load(ccacheFile);
> +
> + return cc;
> + }
> }
>
> http://git-wip-us.apache.org/repos/asf/directory-kerby/
> blob/05be3503/kerby-kerb/kerb-client/src/main/java/org/
> apache/kerby/kerberos/kerb/client/request/ArmoredRequest.java
> ----------------------------------------------------------------------
> diff --git a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/
> kerberos/kerb/client/request/ArmoredRequest.java
> b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/
> kerberos/kerb/client/request/ArmoredRequest.java
> index a052518..b7113a5 100644
> --- a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/
> kerberos/kerb/client/request/ArmoredRequest.java
> +++ b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/
> kerberos/kerb/client/request/ArmoredRequest.java
> @@ -233,7 +233,7 @@ public class ArmoredRequest {
> authenticator.setCusec(0);
> authenticator.setSubKey(subKey);
>
> - KdcReqBody reqBody = kdcRequest.getReqBody();
> + KdcReqBody reqBody = kdcRequest.getReqBody(null);
> CheckSum checksum = CheckSumUtil.seal(reqBody, null,
> subKey, KeyUsage.TGS_REQ_AUTH_CKSUM);
> authenticator.setCksum(checksum);
>
> http://git-wip-us.apache.org/repos/asf/directory-kerby/
> blob/05be3503/kerby-kerb/kerb-client/src/main/java/org/
> apache/kerby/kerberos/kerb/client/request/AsRequest.java
> ----------------------------------------------------------------------
> diff --git a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/
> kerberos/kerb/client/request/AsRequest.java
> b/kerby-kerb/kerb-client/src/
> main/java/org/apache/kerby/kerberos/kerb/client/request/AsRequest.java
> index 7f35d87..d72d46c 100644
> --- a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/
> kerberos/kerb/client/request/AsRequest.java
> +++ b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/
> kerberos/kerb/client/request/AsRequest.java
> @@ -74,7 +74,7 @@ public class AsRequest extends KdcRequest {
> public void process() throws KrbException {
> super.process();
>
> - KdcReqBody body = getReqBody();
> + KdcReqBody body = getReqBody(null);
>
> AsReq asReq = new AsReq();
> asReq.setReqBody(body);
>
> http://git-wip-us.apache.org/repos/asf/directory-kerby/
> blob/05be3503/kerby-kerb/kerb-client/src/main/java/org/
> apache/kerby/kerberos/kerb/client/request/AsRequestWithCert.java
> ----------------------------------------------------------------------
> diff --git a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/
> kerberos/kerb/client/request/AsRequestWithCert.java
> b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/
> kerberos/kerb/client/request/AsRequestWithCert.java
> index a1f1725..fae5c80 100644
> --- a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/
> kerberos/kerb/client/request/AsRequestWithCert.java
> +++ b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/
> kerberos/kerb/client/request/AsRequestWithCert.java
> @@ -43,7 +43,7 @@ public class AsRequestWithCert extends AsRequest {
>
> @Override
> public void process() throws KrbException {
> - KdcReqBody body = getReqBody();
> + KdcReqBody body = getReqBody(null);
> AsReq asReq = new AsReq();
> asReq.setReqBody(body);
> setKdcReq(asReq);
>
> http://git-wip-us.apache.org/repos/asf/directory-kerby/
> blob/05be3503/kerby-kerb/kerb-client/src/main/java/org/
> apache/kerby/kerberos/kerb/client/request/KdcRequest.java
> ----------------------------------------------------------------------
> diff --git a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/
> kerberos/kerb/client/request/KdcRequest.java
> b/kerby-kerb/kerb-client/src/
> main/java/org/apache/kerby/kerberos/kerb/client/request/KdcRequest.jav
> a
> index 8b88097..7c241ab 100644
> --- a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/
> kerberos/kerb/client/request/KdcRequest.java
> +++ b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/
> kerberos/kerb/client/request/KdcRequest.java
> @@ -158,9 +158,9 @@ public abstract class KdcRequest {
> this.kdcReq = kdcReq;
> }
>
> - protected KdcReqBody getReqBody() throws KrbException {
> + protected KdcReqBody getReqBody(KerberosTime renewTill) throws
> KrbException {
> if (reqBody == null) {
> - reqBody = makeReqBody();
> + reqBody = makeReqBody(renewTill);
> }
>
> return reqBody;
> @@ -174,7 +174,7 @@ public abstract class KdcRequest {
> this.kdcRep = kdcRep;
> }
>
> - protected KdcReqBody makeReqBody() throws KrbException {
> + protected KdcReqBody makeReqBody(KerberosTime renewTill) throws
> KrbException {
> KdcReqBody body = new KdcReqBody();
>
> long startTime = System.currentTimeMillis(); @@ -190,13
> +190,18 @@ public abstract class KdcRequest {
>
> body.setTill(new KerberosTime(startTime +
> getTicketValidTime()));
>
> - long renewLifetime;
> - if (getRequestOptions().contains(KrbOption.RENEWABLE_TIME)) {
> - renewLifetime = getRequestOptions().
> getIntegerOption(KrbOption.RENEWABLE_TIME);
> + KerberosTime rtime;
> + if (renewTill != null) {
> + rtime = renewTill;
> } else {
> - renewLifetime = getContext().getKrbSetting().getKrbConfig().
> getRenewLifetime();
> + long renewLifetime;
> + if (getRequestOptions().contains(KrbOption.RENEWABLE_TIME)) {
> + renewLifetime = getRequestOptions().
> getIntegerOption(KrbOption.RENEWABLE_TIME);
> + } else {
> + renewLifetime = getContext().getKrbSetting().
> getKrbConfig().getRenewLifetime();
> + }
> + rtime = new KerberosTime(startTime + renewLifetime *
> + 1000);
> }
> - KerberosTime rtime = new KerberosTime(startTime + renewLifetime *
> 1000);
> body.setRtime(rtime);
>
> int nonce = generateNonce();
>
> http://git-wip-us.apache.org/repos/asf/directory-kerby/
> blob/05be3503/kerby-kerb/kerb-client/src/main/java/org/
> apache/kerby/kerberos/kerb/client/request/TgsRequest.java
> ----------------------------------------------------------------------
> diff --git a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/
> kerberos/kerb/client/request/TgsRequest.java
> b/kerby-kerb/kerb-client/src/
> main/java/org/apache/kerby/kerberos/kerb/client/request/TgsRequest.jav
> a
> index 8e2526e..8e650b8 100644
> --- a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/
> kerberos/kerb/client/request/TgsRequest.java
> +++ b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/
> kerberos/kerb/client/request/TgsRequest.java
> @@ -67,7 +67,7 @@ public class TgsRequest extends KdcRequest {
>
> TgsReq tgsReq = new TgsReq();
>
> - KdcReqBody tgsReqBody = getReqBody();
> + KdcReqBody tgsReqBody = getReqBody(null);
> tgsReq.setReqBody(tgsReqBody);
> tgsReq.setPaData(getPreauthContext().getOutputPaData());
>
> @@ -79,7 +79,7 @@ public class TgsRequest extends KdcRequest {
> setKdcRep(kdcRep);
>
> TgsRep tgsRep = (TgsRep) getKdcRep();
> - EncTgsRepPart encTgsRepPart = null;
> + EncTgsRepPart encTgsRepPart;
> try {
> encTgsRepPart = EncryptionUtil.unseal(tgsRep.
> getEncryptedEncPart(),
> getSessionKey(),
>
> http://git-wip-us.apache.org/repos/asf/directory-kerby/
> blob/05be3503/kerby-kerb/kerb-client/src/main/java/org/
> apache/kerby/kerberos/kerb/client/request/TgsRequestWithTgt.java
> ----------------------------------------------------------------------
> diff --git a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/
> kerberos/kerb/client/request/TgsRequestWithTgt.java
> b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/
> kerberos/kerb/client/request/TgsRequestWithTgt.java
> index ee3151c..5f2e58a 100644
> --- a/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/
> kerberos/kerb/client/request/TgsRequestWithTgt.java
> +++ b/kerby-kerb/kerb-client/src/main/java/org/apache/kerby/
> kerberos/kerb/client/request/TgsRequestWithTgt.java
> @@ -21,6 +21,7 @@ package
> org.apache.kerby.kerberos.kerb.client.request;
>
> import org.apache.kerby.kerberos.kerb.KrbException;
> import org.apache.kerby.kerberos.kerb.client.KrbContext;
> +import org.apache.kerby.kerberos.kerb.client.KrbKdcOption;
> import org.apache.kerby.kerberos.kerb.common.CheckSumUtil;
> import org.apache.kerby.kerberos.kerb.common.EncryptionUtil;
> import org.apache.kerby.kerberos.kerb.type.KerberosTime;
> @@ -92,8 +93,13 @@ public class TgsRequestWithTgt extends TgsRequest {
> authenticator.setCtime(KerberosTime.now());
> authenticator.setCusec(0);
> authenticator.setSubKey(tgt.getSessionKey());
> + KerberosTime renewTill = null;
> +
> + if (getRequestOptions().contains(KrbKdcOption.RENEW)) {
> + renewTill = tgt.getEncKdcRepPart().getRenewTill();
> + }
> + KdcReqBody reqBody = getReqBody(renewTill);
>
> - KdcReqBody reqBody = getReqBody();
> CheckSum checksum = CheckSumUtil.seal(reqBody, null,
> tgt.getSessionKey(), KeyUsage.TGS_REQ_AUTH_CKSUM);
> authenticator.setCksum(checksum);
>
> http://git-wip-us.apache.org/repos/asf/directory-kerby/
> blob/05be3503/kerby-kerb/kerb-core/src/main/java/org/apache/
> kerby/kerberos/kerb/type/ticket/SgtTicket.java
> ----------------------------------------------------------------------
> diff --git a/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/
> kerberos/kerb/type/ticket/SgtTicket.java b/kerby-kerb/kerb-core/src/
> main/java/org/apache/kerby/kerberos/kerb/type/ticket/SgtTicket.java
> index 86cdf1e..05c0485 100644
> --- a/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/
> kerberos/kerb/type/ticket/SgtTicket.java
> +++ b/kerby-kerb/kerb-core/src/main/java/org/apache/kerby/
> kerberos/kerb/type/ticket/SgtTicket.java
> @@ -19,13 +19,24 @@
> */
> package org.apache.kerby.kerberos.kerb.type.ticket;
>
> +import org.apache.kerby.kerberos.kerb.type.base.PrincipalName;
> import org.apache.kerby.kerberos.kerb.type.kdc.EncTgsRepPart;
>
> /**
> * Service granting ticket.
> */
> public class SgtTicket extends KrbTicket {
> + private PrincipalName clientPrincipal;
> +
> public SgtTicket(Ticket ticket, EncTgsRepPart encKdcRepPart) {
> super(ticket, encKdcRepPart);
> }
> +
> + public PrincipalName getClientPrincipal() {
> + return clientPrincipal;
> + }
> +
> + public void setClientPrincipal(PrincipalName clientPrincipal) {
> + this.clientPrincipal = clientPrincipal;
> + }
> }
>
> http://git-wip-us.apache.org/repos/asf/directory-kerby/
> blob/05be3503/kerby-kerb/kerb-util/src/main/java/org/apache/
> kerby/kerberos/kerb/ccache/CredentialCache.java
> ----------------------------------------------------------------------
> diff --git a/kerby-kerb/kerb-util/src/main/java/org/apache/kerby/
> kerberos/kerb/ccache/CredentialCache.java b/kerby-kerb/kerb-util/src/
> main/java/org/apache/kerby/kerberos/kerb/ccache/CredentialCache.java
> index 0a56626..f742649 100644
> --- a/kerby-kerb/kerb-util/src/main/java/org/apache/kerby/
> kerberos/kerb/ccache/CredentialCache.java
> +++ b/kerby-kerb/kerb-util/src/main/java/org/apache/kerby/
> kerberos/kerb/ccache/CredentialCache.java
> @@ -20,6 +20,7 @@
> package org.apache.kerby.kerberos.kerb.ccache;
>
> import org.apache.kerby.kerberos.kerb.type.base.PrincipalName;
> +import org.apache.kerby.kerberos.kerb.type.ticket.SgtTicket;
> import org.apache.kerby.kerberos.kerb.type.ticket.TgtTicket;
> import org.apache.kerby.kerberos.kerb.type.ticket.Ticket;
>
> @@ -53,6 +54,12 @@ public class CredentialCache implements
> KrbCredentialCache {
> setPrimaryPrincipal(tgt.getClientPrincipal());
> }
>
> + public CredentialCache(SgtTicket sgt) {
> + this();
> + addCredential(new Credential(sgt, sgt.getClientPrincipal()));
> + setPrimaryPrincipal(sgt.getClientPrincipal());
> + }
> +
> public CredentialCache(Credential credential) {
> this();
> addCredential(credential);
>
> http://git-wip-us.apache.org/repos/asf/directory-kerby/
> blob/05be3503/kerby-tool/client-tool/src/main/java/org/
> apache/kerby/kerberos/tool/kinit/KinitTool.java
> ----------------------------------------------------------------------
> diff --git a/kerby-tool/client-tool/src/main/java/org/apache/kerby/
> kerberos/tool/kinit/KinitTool.java b/kerby-tool/client-tool/src/
> main/java/org/apache/kerby/kerberos/tool/kinit/KinitTool.java
> index 735739e..f2e585c 100644
> --- a/kerby-tool/client-tool/src/main/java/org/apache/kerby/
> kerberos/tool/kinit/KinitTool.java
> +++ b/kerby-tool/client-tool/src/main/java/org/apache/kerby/
> kerberos/tool/kinit/KinitTool.java
> @@ -61,7 +61,7 @@ public class KinitTool {
> + "\tOPTIONS:\n"
> + "\t\t-V verbose\n"
> + "\t\t-l lifetime\n"
> - + "\t\t--s start time\n"
> + + "\t\t-s start time\n"
> + "\t\t-r renewable lifetime\n"
> + "\t\t-f forwardable\n"
> + "\t\t-F not forwardable\n"
> @@ -112,8 +112,7 @@ public class KinitTool {
> return password;
> }
>
> - private static void requestTicket(String principal,
> - KOptions ktOptions) throws
> KrbException {
> + private static void requestTicket(String principal, KOptions
> ktOptions) {
> ktOptions.add(KinitOption.CLIENT_PRINCIPAL, principal);
>
> File confDir = null;
> @@ -121,6 +120,38 @@ public class KinitTool {
> confDir = ktOptions.getDirOption(KinitOption.CONF_DIR);
> }
>
> + KrbClient krbClient = null;
> + try {
> + krbClient = getClient(confDir);
> + } catch (KrbException e) {
> + System.err.println("Create krbClient failed: " +
> e.getMessage());
> + System.exit(1);
> + }
> +
> + if (ktOptions.contains(KinitOption.RENEW)) {
> + if (ktOptions.contains(KinitOption.KRB5_CACHE)) {
> + String ccName = ktOptions.getStringOption(
> KinitOption.KRB5_CACHE);
> + File ccFile = new File(ccName);
> +
> + SgtTicket sgtTicket = null;
> + try {
> + sgtTicket = krbClient.requestSgt(ccFile);
> + } catch (KrbException e) {
> + System.err.println("kinit: " + e.getKrbErrorCode().
> getMessage());
> + }
> +
> + try {
> + krbClient.storeTicket(sgtTicket, ccFile);
> + } catch (KrbException e) {
> + System.err.println("kinit: " + e.getKrbErrorCode().
> getMessage());
> + }
> +
> + System.out.println("Successfully renewed.");
> + }
> + return;
> + }
> +
> +
> if (ktOptions.contains(KinitOption.ANONYMOUS)) {
> ktOptions.add(PkinitOption.USE_ANONYMOUS);
> ktOptions.add(PkinitOption.X509_ANCHORS);
> @@ -131,14 +162,6 @@ public class KinitTool {
> ktOptions.add(KinitOption.USER_PASSWD, password);
> }
>
> - KrbClient krbClient = null;
> - try {
> - krbClient = getClient(confDir);
> - } catch (KrbException e) {
> - System.err.println("Create krbClient failed: " +
> e.getMessage());
> - System.exit(1);
> - }
> -
> TgtTicket tgt = null;
> try {
> tgt = krbClient.requestTgt(convertOptions(ktOptions));
> @@ -168,8 +191,13 @@ public class KinitTool {
> + ccacheFile.getAbsolutePath());
> if (ktOptions.contains(KinitOption.SERVICE)) {
> String servicePrincipal = ktOptions.getStringOption(
> KinitOption.SERVICE);
> - SgtTicket sgtTicket =
> - krbClient.requestSgt(tgt, servicePrincipal);
> + SgtTicket sgtTicket;
> + try {
> + sgtTicket = krbClient.requestSgt(tgt, servicePrincipal);
> + } catch (KrbException e) {
> + System.err.println("kinit: " + e.getKrbErrorCode().
> getMessage());
> + return;
> + }
> System.out.println("Successfully requested the service
> ticket for " + servicePrincipal
> + "\nKey version: " + sgtTicket.getTicket().getTktvno());
> }
> @@ -191,7 +219,7 @@ public class KinitTool {
> return krbClient;
> }
>
> - public static void main(String[] args) throws Exception {
> + public static void main(String[] args) {
> KOptions ktOptions = new KOptions();
> KinitOption kto;
> String principal = null;
> @@ -242,7 +270,7 @@ public class KinitTool {
> if (principal == null) {
> if (ktOptions.contains(KinitOption.ANONYMOUS)) {
> principal = KrbConstant.ANONYMOUS_PRINCIPAL;
> - } else {
> + } else if (!ktOptions.contains(KinitOption.KRB5_CACHE)) {
> printUsage("No principal is specified");
> }
> }
>
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com