1 /*
2 * Copyright (c) 2016, Oracle and/or its affiliates. All rights reserved.
3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
4 *
5 * This code is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License version 2 only, as
7 * published by the Free Software Foundation.
8 *
9 * This code is distributed in the hope that it will be useful, but WITHOUT
10 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
11 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
12 * version 2 for more details (a copy is included in the LICENSE file that
13 * accompanied this code).
14 *
15 * You should have received a copy of the GNU General Public License version
16 * 2 along with this work; if not, write to the Free Software Foundation,
17 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
18 *
19 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
20 * or visit www.oracle.com if you need additional information or have any
21 * questions.
22 */
23
24 import java.io.*;
25 import java.net.DatagramSocket;
26 import java.net.ServerSocket;
27 import java.nio.file.Files;
28 import java.nio.file.Paths;
29 import java.security.Security;
30 import java.util.ArrayList;
31 import java.util.List;
32 import java.util.Random;
33 import java.util.regex.Matcher;
34 import java.util.regex.Pattern;
35 import javax.security.auth.login.LoginException;
36 import sun.security.krb5.Asn1Exception;
37 import sun.security.krb5.Config;
38
39 /*
40 * @test
41 * @bug 8164656
42 * @run main/othervm KdcPolicy udp
43 * @run main/othervm KdcPolicy tcp
44 * @summary krb5.kdc.bad.policy test
45 */
46 public class KdcPolicy {
47
48 // Is this test on UDP?
49 static boolean udp;
50
51 public static void main(String[] args) throws Exception {
52
53 udp = args[0].equals("udp");
54
55 try {
56 main0();
57 } catch (LoginException le) {
58 Throwable cause = le.getCause();
59 if (cause instanceof Asn1Exception) {
60 System.out.println("Another process sends a packet to " +
61 "this server. Ignored.");
62 return;
63 }
64 throw le;
65 }
66 }
67
68 static DebugMatcher cm = new DebugMatcher();
69
70 static void main0() throws Exception {
71
72 System.setProperty("sun.security.krb5.debug", "true");
73
74 // One real KDC. Must be created before fake KDCs
75 // to read the TestHosts file.
76 OneKDC kdc = new OneKDC(null);
77
78 // Two fake KDCs, d1 and d2 only listen but do not respond.
79
80 if (udp) {
81 try (DatagramSocket d1 = new DatagramSocket();
82 DatagramSocket d2 = new DatagramSocket()) {
83 run(d1.getLocalPort(), d2.getLocalPort(), kdc.getPort());
84 }
85 } else {
86 try (ServerSocket d1 = new ServerSocket(0);
87 ServerSocket d2 = new ServerSocket(0)) {
88 run(d1.getLocalPort(), d2.getLocalPort(), kdc.getPort());
89 }
90 }
91 }
92
93 static void run(int p1, int p2, int p3) throws Exception {
94
95 // cm.kdc() will return a and b for fake KDCs, and c for real KDC.
96 cm.addPort(-1).addPort(p1).addPort(p2).addPort(p3);
97
98 System.setProperty("java.security.krb5.conf", "alternative-krb5.conf");
99
100 // Check default timeout is 30s. Use real KDC only, otherwise too
101 // slow to wait for timeout.
102 writeConf(-1, -1, p3);
103 test("c30000c30000");
104
105 // 1. Default policy is tryLast
106 //Security.setProperty("krb5.kdc.bad.policy", "tryLast");
107
108 // Need a real KDC, otherwise there is no last good.
109 // This test waste 3 seconds waiting for d1 to timeout.
110 // It is possible the real KDC cannot fulfil the request
111 // in 3s, so it might fail (either 1st time or 2nd time).
112 writeConf(1, 3000, p1, p3);
113 test("a3000c3000c3000|a3000c3000-|a3000c3000c3000-");
114
115 // If a test case won't use a real KDC, it can be sped up.
116 writeConf(3, 5, p1, p2);
117 test("a5a5a5b5b5b5-"); // default max_retries == 3
118 test("a5a5a5b5b5b5-"); // all bad means no bad
119
120 // 2. No policy.
121 Security.setProperty("krb5.kdc.bad.policy", "");
122 Config.refresh();
123
124 // This case needs a real KDC, otherwise, all bad means no
125 // bad and we cannot tell the difference. This case waste 3
126 // seconds on d1 to timeout twice. It is possible the real KDC
127 // cannot fulfil the request within 3s, so it might fail
128 // (either 1st time or 2nd time).
129 writeConf(1, 3000, p1, p3);
130 test("a3000c3000a3000c3000|a3000c3000-|a3000c3000a3000c3000-");
131
132 // 3. tryLess with no argument means tryLess:1,5000
133 Security.setProperty("krb5.kdc.bad.policy", "tryLess");
134
135 // This case will waste 11s. We are checking that the default
136 // value of 5000 in tryLess is only used if it's less than timeout
137 // in krb5.conf
138 writeConf(1, 6000, p1);
139 test("a6000-"); // timeout in krb5.conf is 6s
140 test("a5000-"); // tryLess to 5s. This line can be made faster if
141 // d1 is a read KDC, but we have no existing method
142 // to start KDC on an existing ServerSocket (port).
143
144 writeConf(-1, 4, p1, p2);
145 test("a4a4a4b4b4b4-"); // default max_retries == 3
146 test("a4b4-"); // tryLess to 1. And since 4 < 5000, use 4.
147 Config.refresh();
148 test("a4a4a4b4b4b4-");
149
150 writeConf(5, 4, p1, p2);
151 test("a4a4a4a4a4b4b4b4b4b4-"); // user-provided max_retries == 5
152 test("a4b4-");
153 Config.refresh();
154 test("a4a4a4a4a4b4b4b4b4b4-");
155
156 // 3. tryLess with arguments
157 Security.setProperty("krb5.kdc.bad.policy",
158 "tryLess:2,5");
159
160 writeConf(-1, 6, p1, p2);
161 test("a6a6a6b6b6b6-"); // default max_retries == 3
162 test("a5a5b5b5-"); // tryLess to 2
163 Config.refresh();
164 test("a6a6a6b6b6b6-");
165
166 writeConf(5, 4, p1, p2);
167 test("a4a4a4a4a4b4b4b4b4b4-"); // user-provided max_retries == 5
168 test("a4a4b4b4-"); // tryLess to 2
169 Config.refresh();
170 test("a4a4a4a4a4b4b4b4b4b4-");
171 }
172
173 /**
174 * Writes a krb5.conf file.
175 * @param max max_retries, -1 if not set
176 * @param to kdc_timeout, -1 if not set
177 * @param ports where KDCs listen on
178 */
179 static void writeConf(int max, int to, int... ports) throws Exception {
180
181 // content of krb5.conf
182 String conf = "";
183
184 // Extra settings in [libdefaults]
185 String inDefaults = "";
186
187 // Extra settings in [realms]
188 String inRealm = "";
189
190 // We will randomly put extra settings only in [libdefaults],
191 // or in [realms] but with different values in [libdefaults],
192 // to prove that settings in [realms] override those in [libdefaults].
193 Random r = new Random();
194
195 if (max > 0) {
196 if (r.nextBoolean()) {
197 inDefaults += "max_retries = " + max + "\n";
198 } else {
199 inRealm += " max_retries = " + max + "\n";
200 inDefaults += "max_retries = " + (max + 1) + "\n";
201 }
202 }
203
204 if (to > 0) {
205 if (r.nextBoolean()) {
206 inDefaults += "kdc_timeout = " + to + "\n";
207 } else {
208 inRealm += " kdc_timeout = " + to + "\n";
209 inDefaults += "kdc_timeout = " + (to + 1) + "\n";
210 }
211 }
212
213 if (udp) {
214 if (r.nextBoolean()) {
215 inDefaults += "udp_preference_limit = 10000\n";
216 } else if (r.nextBoolean()) {
217 inRealm += " udp_preference_limit = 10000\n";
218 inDefaults += "udp_preference_limit = 1\n";
219 } // else no settings means UDP
220 } else {
221 if (r.nextBoolean()) {
222 inDefaults += "udp_preference_limit = 1\n";
223 } else {
224 inRealm += " udp_preference_limit = 1\n";
225 inDefaults += "udp_preference_limit = 10000\n";
226 }
227 }
228
229 conf = "[libdefaults]\n" +
230 "default_realm = " + OneKDC.REALM + "\n" +
231 inDefaults +
232 "\n" +
233 "[realms]\n" +
234 OneKDC.REALM + " = {\n";
235
236 for (int port : ports) {
237 conf += " kdc = " + OneKDC.KDCHOST + ":" + port + "\n" +
238 inRealm;
239 }
240
241 conf += "}\n";
242
243 Files.write(Paths.get("alternative-krb5.conf"), conf.getBytes());
244 Config.refresh();
245 }
246
247 /**
248 * One call of krb5 login. As long as the result matches one of expected,
249 * the test is considered as success. The grammar of expected is
250 *
251 * kdc#, timeout, kdc#, timeout, ..., optional "-" for failure
252 */
253 static void test(String... expected) throws Exception {
254
255 System.out.println("------------------TEST----------------------");
256 PrintStream oldOut = System.out;
257 boolean failed = false;
258 ByteArrayOutputStream bo = new ByteArrayOutputStream();
259 System.setOut(new PrintStream(bo));
260 try {
261 Context.fromUserPass(OneKDC.USER, OneKDC.PASS, false);
262 } catch (Exception e) {
263 failed = true;
264 } finally {
265 System.setOut(oldOut);
266 }
267
268 String[] lines = new String(bo.toByteArray()).split("\n");
269 StringBuilder sb = new StringBuilder();
270 for (String line: lines) {
271 if (cm.match(line)) {
272 if (udp != cm.isUDP()) {
273 sb.append("x");
274 }
275 sb.append(cm.kdc()).append(cm.timeout());
276 }
277 }
278 if (failed) sb.append('-');
279
280 String output = sb.toString();
281
282 boolean found = false;
283 for (String ex : expected) {
284 if (output.matches(ex)) {
285 System.out.println("Expected: " + ex + ", actual " + output);
286 found = true;
287 break;
288 }
289 }
290
291 if (!found) {
292 System.out.println("--------------- ERROR START -------------");
293 System.out.println(new String(bo.toByteArray()));
294 System.out.println("--------------- ERROR END ---------------");
295 throw new Exception("Does not match. Output is " + output);
296 }
297 }
298
299 /**
300 * A helper class to match the krb5 debug output:
301 * >>> KDCCommunication: kdc=host UDP:11555, timeout=200,Attempt =1, #bytes=138
302 *
303 * Example:
304 * DebugMatcher cm = new DebugMatcher();
305 * cm.addPort(12345).addPort(11555);
306 * for (String line : debugOutput) {
307 * if (cm.match(line)) {
308 * System.out.printf("%c%d\n", cm.kdc(), cm.timeout());
309 * // shows b200 for the example above
310 * }
311 * }
312 */
313 static class DebugMatcher {
314
315 static final Pattern re = Pattern.compile(
316 ">>> KDCCommunication: kdc=\\S+ (TCP|UDP):(\\d+), " +
317 "timeout=(\\d+),Attempt\\s*=(\\d+)");
318
319 List<Integer> kdcPorts = new ArrayList<>();
320 Matcher matcher;
321
322 /**
323 * Add KDC ports one by one. See {@link #kdc()}.
324 */
325 DebugMatcher addPort(int port) {
326 if (port > 0) {
327 kdcPorts.add(port);
328 } else {
329 kdcPorts.clear();
330 }
331 return this;
332 }
333
334 /**
335 * When a line matches the ">>> KDCCommunication:" pattern. After a
336 * match, the getters below can be called on this match.
337 */
338 boolean match(String line) {
339 matcher = re.matcher(line);
340 return matcher.find();
341 }
342
343 /**
344 * Protocol of this match, "UDP" or "TCP".
345 */
346 boolean isUDP() {
347 return matcher.group(1).equals("UDP");
348 }
349
350 /**
351 * KDC for this match, "a" for the one 1st added bt addPort(), "b"
352 * for second, etc. Undefined for not added.
353 */
354 char kdc() {
355 int port = Integer.parseInt(matcher.group(2));
356 return (char) (kdcPorts.indexOf(port) + 'a');
357 }
358
359 /**
360 * Timeout value for this match.
361 */
362 int timeout() {
363 return Integer.parseInt(matcher.group(3));
364 }
365 }
366 }