New test/sun/security/krb5/auto/OkAsDelegateXRealm.java

   1 /*
   2  * Copyright (c) 2009, 2012, Oracle and/or its affiliates. All rights reserved.
   3  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
   4  *
   5  * This code is free software; you can redistribute it and/or modify it
   6  * under the terms of the GNU General Public License version 2 only, as
   7  * published by the Free Software Foundation.
   8  *
   9  * This code is distributed in the hope that it will be useful, but WITHOUT
  10  * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
  11  * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  12  * version 2 for more details (a copy is included in the LICENSE file that
  13  * accompanied this code).
  14  *
  15  * You should have received a copy of the GNU General Public License version
  16  * 2 along with this work; if not, write to the Free Software Foundation,
  17  * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
  18  *
  19  * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
  20  * or visit www.oracle.com if you need additional information or have any
  21  * questions.
  22  */
  23 
  24 /*
  25  * @test
  26  * @bug 6853328 7172701
  27  * @modules java.base/sun.net.spi.nameservice
  28  *          java.base/sun.security.util
  29  *          java.security.jgss/sun.security.jgss
  30  *          java.security.jgss/sun.security.krb5
  31  *          java.security.jgss/sun.security.krb5.internal
  32  *          java.security.jgss/sun.security.krb5.internal.ccache
  33  *          java.security.jgss/sun.security.krb5.internal.crypto
  34  *          java.security.jgss/sun.security.krb5.internal.ktab
  35  * @run main/othervm OkAsDelegateXRealm false
  36  *      KDC no OK-AS-DELEGATE, fail
  37  * @run main/othervm -Dtest.kdc.policy.ok-as-delegate OkAsDelegateXRealm true
  38  *      KDC set OK-AS-DELEGATE for all, succeed
  39  * @run main/othervm -Dtest.kdc.policy.ok-as-delegate=host/host.r3.local OkAsDelegateXRealm false
  40  *      KDC set OK-AS-DELEGATE for host/host.r3.local only, fail
  41  * @run main/othervm -Dtest.kdc.policy.ok-as-delegate=host/host.r3.local,krbtgt/R2,krbtgt/R3 OkAsDelegateXRealm true
  42  *      KDC set OK-AS-DELEGATE for all three, succeed
  43  * @summary Support OK-AS-DELEGATE flag
  44  */
  45 import java.io.FileOutputStream;
  46 import java.io.IOException;
  47 import java.security.Security;
  48 import javax.security.auth.callback.Callback;
  49 import javax.security.auth.callback.CallbackHandler;
  50 import javax.security.auth.callback.NameCallback;
  51 import javax.security.auth.callback.PasswordCallback;
  52 import javax.security.auth.callback.UnsupportedCallbackException;
  53 
  54 import com.sun.security.jgss.ExtendedGSSContext;
  55 import org.ietf.jgss.GSSException;
  56 import sun.security.jgss.GSSUtil;
  57 import sun.security.krb5.Config;
  58 
  59 public class OkAsDelegateXRealm implements CallbackHandler {
  60 
  61     /**
  62      * @param args boolean if the program should succeed
  63      */
  64     public static void main(String[] args)
  65             throws Exception {
  66 
  67         // Create and start the KDCs. Here we have 3 realms: R1, R2 and R3.
  68         // R1 is trusted by R2, and R2 trusted by R3.
  69         KDC kdc1 = KDC.create("R1");
  70         kdc1.setOption(KDC.Option.OK_AS_DELEGATE,
  71                 System.getProperty("test.kdc.policy.ok-as-delegate"));
  72         kdc1.addPrincipal("dummy", "bogus".toCharArray());
  73         kdc1.addPrincipalRandKey("krbtgt/R1");
  74         kdc1.addPrincipal("krbtgt/R2@R1", "r1->r2".toCharArray());
  75 
  76         KDC kdc2 = KDC.create("R2");
  77         kdc2.setOption(KDC.Option.OK_AS_DELEGATE,
  78                 System.getProperty("test.kdc.policy.ok-as-delegate"));
  79         kdc2.addPrincipalRandKey("krbtgt/R2");
  80         kdc2.addPrincipal("krbtgt/R2@R1", "r1->r2".toCharArray());
  81         kdc2.addPrincipal("krbtgt/R3@R2", "r2->r3".toCharArray());
  82 
  83         KDC kdc3 = KDC.create("R3");
  84         kdc3.setOption(KDC.Option.OK_AS_DELEGATE,
  85                 System.getProperty("test.kdc.policy.ok-as-delegate"));
  86         kdc3.addPrincipalRandKey("krbtgt/R3");
  87         kdc3.addPrincipal("krbtgt/R3@R2", "r2->r3".toCharArray());
  88         kdc3.addPrincipalRandKey("host/host.r3.local");
  89 
  90         KDC.saveConfig("krb5-localkdc.conf", kdc1, kdc2, kdc3,
  91                 "forwardable=true",
  92                 "[capaths]",
  93                 "R1 = {",
  94                 "    R2 = .",
  95                 "    R3 = R2",
  96                 "}",
  97                 "[domain_realm]",
  98                 ".r3.local=R3"
  99                 );
 100 
 101         System.setProperty("java.security.krb5.conf", "krb5-localkdc.conf");
 102         kdc3.writeKtab("localkdc.ktab");
 103 
 104         FileOutputStream fos = new FileOutputStream("jaas-localkdc.conf");
 105 
 106         // Defines the client and server on R1 and R3 respectively.
 107         fos.write(("com.sun.security.jgss.krb5.initiate {\n" +
 108                 "    com.sun.security.auth.module.Krb5LoginModule\n" +
 109                 "    required\n" +
 110                 "    principal=dummy\n" +
 111                 "    doNotPrompt=false\n" +
 112                 "    useTicketCache=false\n" +
 113                 "    ;\n};\n" +
 114                 "com.sun.security.jgss.krb5.accept {\n" +
 115                 "    com.sun.security.auth.module.Krb5LoginModule required\n" +
 116                 "    principal=\"host/host.r3.local@R3\"\n" +
 117                 "    useKeyTab=true\n" +
 118                 "    keyTab=localkdc.ktab\n" +
 119                 "    isInitiator=false\n" +
 120                 "    storeKey=true;\n};\n" +
 121                 "\n").getBytes());
 122         fos.close();
 123 
 124         Security.setProperty("auth.login.defaultCallbackHandler",
 125                 "OkAsDelegateXRealm");
 126 
 127         System.setProperty("java.security.auth.login.config", "jaas-localkdc.conf");
 128 
 129         Config.refresh();
 130 
 131         Context c = Context.fromJAAS("com.sun.security.jgss.krb5.initiate");
 132         Context s = Context.fromJAAS("com.sun.security.jgss.krb5.accept");
 133 
 134         // Test twice. The frist time the whole cross realm process is tried,
 135         // the second time the cached service ticket is used. This is to make sure
 136         // the behaviors are the same, especailly for the case when one of the
 137         // cross-realm TGTs does not have OK-AS-DELEGATE on.
 138 
 139         for (int i=0; i<2; i++) {
 140             c.startAsClient("host@host.r3.local", GSSUtil.GSS_KRB5_MECH_OID);
 141             s.startAsServer(GSSUtil.GSS_KRB5_MECH_OID);
 142             ((ExtendedGSSContext)c.x()).requestDelegPolicy(true);
 143 
 144             Context.handshake(c, s);
 145             boolean succeed = true;
 146             try {
 147                 s.x().getDelegCred();
 148             } catch (GSSException gsse) {
 149                 succeed = false;
 150             }
 151             if (succeed != Boolean.parseBoolean(args[0])) {
 152                 throw new Exception("Test fail at round #" + i);
 153             }
 154         }
 155     }
 156 
 157     @Override
 158     public void handle(Callback[] callbacks)
 159             throws IOException, UnsupportedCallbackException {
 160         for (Callback callback : callbacks) {
 161             if (callback instanceof NameCallback) {
 162                 ((NameCallback) callback).setName("dummy");
 163             }
 164             if (callback instanceof PasswordCallback) {
 165                 ((PasswordCallback) callback).setPassword("bogus".toCharArray());
 166             }
 167         }
 168     }
 169 }
 170