1 /*
2 * Copyright (c) 2012, 2013, Oracle and/or its affiliates. All rights reserved.
3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
4 *
5 * This code is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License version 2 only, as
7 * published by the Free Software Foundation.
8 *
9 * This code is distributed in the hope that it will be useful, but WITHOUT
10 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
11 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
12 * version 2 for more details (a copy is included in the LICENSE file that
13 * accompanied this code).
14 *
15 * You should have received a copy of the GNU General Public License version
16 * 2 along with this work; if not, write to the Free Software Foundation,
17 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
18 *
19 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
20 * or visit www.oracle.com if you need additional information or have any
21 * questions.
22 */
23 /*
24 * @test
25 * @bug 8005447
26 * @modules java.security.jgss/sun.security.jgss
27 * @compile -XDignore.symbol.file ServiceCredsCombination.java
28 * @run main ServiceCredsCombination
29 * @summary default principal can act as anyone
30 */
31
32 import java.security.PrivilegedActionException;
33 import java.security.PrivilegedExceptionAction;
34 import java.util.Objects;
35 import javax.security.auth.Subject;
36 import javax.security.auth.kerberos.KerberosKey;
37 import javax.security.auth.kerberos.KerberosPrincipal;
38 import javax.security.auth.kerberos.KeyTab;
39 import org.ietf.jgss.GSSCredential;
40 import org.ietf.jgss.GSSException;
41 import org.ietf.jgss.GSSManager;
42 import org.ietf.jgss.GSSName;
43 import sun.security.jgss.GSSUtil;
44
45 public class ServiceCredsCombination {
46
47 public static void main(String[] args) throws Exception {
48 // pass
49 check("a", "a", princ("a"), key("a"));
50 check(null, "a", princ("a"), key("a"));
51 check("x", "NOCRED", princ("a"), key("a"));
52 // two pass
53 check("a", "a", princ("a"), key("a"), princ("b"), key("b"));
54 check("b", "b", princ("a"), key("a"), princ("b"), key("b"));
55 check(null, null, princ("a"), key("a"), princ("b"), key("b"));
56 check("x", "NOCRED", princ("a"), key("a"), princ("b"), key("b"));
57 // old ktab
58 check("b", "b", princ("b"), oldktab());
59 check("x", "NOCRED", princ("b"), oldktab());
60 check(null, "b", princ("b"), oldktab());
61 // Two old ktab
62 check("a", "a", princ("a"), princ("b"), oldktab(), oldktab());
63 check("b", "b", princ("a"), princ("b"), oldktab(), oldktab());
64 check(null, null, princ("a"), princ("b"), oldktab(), oldktab());
65 check("x", "NOCRED", princ("a"), princ("b"), oldktab(), oldktab());
66 // bound ktab
67 check("c", "c", princ("c"), ktab("c"));
68 check(null, "c", princ("c"), ktab("c"));
69 // unbound ktab
70 check("x", "x", ktab());
71 check(null, null, ktab());
72 // Two bound ktab
73 check("c1", "c1", princ("c1"), princ("c2"), ktab("c1"), ktab("c2"));
74 check("c2", "c2", princ("c1"), princ("c2"), ktab("c1"), ktab("c2"));
75 check("x", "NOCRED", princ("c1"), princ("c2"), ktab("c1"), ktab("c2"));
76 check(null, null, princ("c1"), princ("c2"), ktab("c1"), ktab("c2"));
77 // One bound, one unbound
78 check("c1", "c1", princ("c1"), ktab("c1"), ktab());
79 check("x", "x", princ("c1"), ktab("c1"), ktab());
80 check(null, null, princ("c1"), ktab("c1"), ktab());
81 // Two unbound ktab
82 check("x", "x", ktab(), ktab());
83 check(null, null, ktab(), ktab());
84 // pass + old ktab
85 check("a", "a", princ("a"), princ("b"), key("a"), oldktab());
86 check("b", "b", princ("a"), princ("b"), key("a"), oldktab());
87 check(null, null, princ("a"), princ("b"), key("a"), oldktab());
88 check("x", "NOCRED", princ("a"), princ("b"), key("a"), oldktab());
89 // pass + bound ktab
90 check("a", "a", princ("a"), princ("c"), key("a"), ktab("c"));
91 check("c", "c", princ("a"), princ("c"), key("a"), ktab("c"));
92 check("x", "NOCRED", princ("a"), princ("c"), key("a"), ktab("c"));
93 check(null, null, princ("a"), princ("c"), key("a"), ktab("c"));
94 // pass + unbound ktab
95 check("a", "a", princ("a"), key("a"), ktab());
96 check("x", "x", princ("a"), key("a"), ktab());
97 check(null, null, princ("a"), key("a"), ktab());
98 // Compatibility, automatically add princ for keys
99 check(null, "a", key("a"));
100 check("x", "NOCRED", key("a"));
101 check(null, "a", key("a"), oldktab());
102 check("x", "NOCRED", key("a"), oldktab());
103 // Limitation, "a" has no key, but we don't know oldktab() is for "b"
104 check("a", "a", princ("a"), princ("b"), oldktab());
105 }
106
107 /**
108 * Checks the correct bound
109 * @param a get a creds for this principal, null for default one
110 * @param b expected name, null for still unbound, "NOCRED" for no creds
111 * @param objs princs, keys and keytabs in the subject
112 */
113 private static void check(final String a, String b, Object... objs)
114 throws Exception {
115 Subject subj = new Subject();
116 for (Object obj: objs) {
117 if (obj instanceof KerberosPrincipal) {
118 subj.getPrincipals().add((KerberosPrincipal)obj);
119 } else if (obj instanceof KerberosKey || obj instanceof KeyTab) {
120 subj.getPrivateCredentials().add(obj);
121 }
122 }
123 final GSSManager man = GSSManager.getInstance();
124 try {
125 String result = Subject.doAs(
126 subj, new PrivilegedExceptionAction<String>() {
127 @Override
128 public String run() throws GSSException {
129 GSSCredential cred = man.createCredential(
130 a == null ? null : man.createName(r(a), null),
131 GSSCredential.INDEFINITE_LIFETIME,
132 GSSUtil.GSS_KRB5_MECH_OID,
133 GSSCredential.ACCEPT_ONLY);
134 GSSName name = cred.getName();
135 return name == null ? null : name.toString();
136 }
137 });
138 if (!Objects.equals(result, r(b))) {
139 throw new Exception("Check failed: getInstance(" + a
140 + ") has name " + result + ", not " + b);
141 }
142 } catch (PrivilegedActionException e) {
143 if (!"NOCRED".equals(b)) {
144 throw new Exception("Check failed: getInstance(" + a
145 + ") is null " + ", but not one with name " + b);
146 }
147 }
148 }
149 private static String r(String s) {
150 return s == null ? null : (s+"@REALM");
151 }
152 private static KerberosPrincipal princ(String s) {
153 return new KerberosPrincipal(r(s));
154 }
155 private static KerberosKey key(String s) {
156 return new KerberosKey(princ(s), new byte[0], 0, 0);
157 }
158 private static KeyTab oldktab() {
159 return KeyTab.getInstance();
160 }
161 static KeyTab ktab(String s) {
162 return KeyTab.getInstance(princ(s));
163 }
164 static KeyTab ktab() {
165 return KeyTab.getUnboundInstance();
166 }
167 }