1 /*
   2  * Copyright (c) 2015, Oracle and/or its affiliates. All rights reserved.
   3  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
   4  *
   5  * This code is free software; you can redistribute it and/or modify it
   6  * under the terms of the GNU General Public License version 2 only, as
   7  * published by the Free Software Foundation.
   8  *
   9  * This code is distributed in the hope that it will be useful, but WITHOUT
  10  * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
  11  * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  12  * version 2 for more details (a copy is included in the LICENSE file that
  13  * accompanied this code).
  14  *
  15  * You should have received a copy of the GNU General Public License version
  16  * 2 along with this work; if not, write to the Free Software Foundation,
  17  * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
  18  *
  19  * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
  20  * or visit www.oracle.com if you need additional information or have any
  21  * questions.
  22  */
  23 
  24 import java.io.IOException;
  25 import java.security.NoSuchAlgorithmException;
  26 import java.security.PrivilegedActionException;
  27 import java.util.HashMap;
  28 import java.util.Map;
  29 import javax.security.auth.login.LoginException;
  30 
  31 /*
  32  * @test
  33  * @bug 8025123
  34  * @summary Checks if an unbound server can handle connections
  35  *          only for allowed service principals
  36  * @run main/othervm/policy=unbound.ssl.policy UnboundSSL
  37  *                              unbound.ssl.jaas.conf server_star
  38  * @run main/othervm/policy=unbound.ssl.policy UnboundSSL
  39  *                              unbound.ssl.jaas.conf server_multiple_principals
  40  */
  41 public class UnboundSSL {
  42 
  43     public static void main(String[] args) throws IOException,
  44             NoSuchAlgorithmException,LoginException, PrivilegedActionException,
  45             InterruptedException {
  46         UnboundSSL test = new UnboundSSL();
  47         test.start(args[0], args[1]);
  48     }
  49 
  50     private void start(String jaacConfigFile, String serverJaasConfig)
  51             throws IOException, NoSuchAlgorithmException,LoginException,
  52             PrivilegedActionException, InterruptedException {
  53 
  54         // define principals
  55         String service1host = "service1." + UnboundSSLUtils.HOST;
  56         String service2host = "service2." + UnboundSSLUtils.HOST;
  57         String service3host = "service3." + UnboundSSLUtils.HOST;
  58         String service1Principal = "host/" + service1host + "@"
  59                 + UnboundSSLUtils.REALM;
  60         String service2Principal = "host/" + service2host + "@"
  61                 + UnboundSSLUtils.REALM;
  62         String service3Principal = "host/" + service3host + "@"
  63                 + UnboundSSLUtils.REALM;
  64 
  65         Map<String, String> principals = new HashMap<>();
  66         principals.put(UnboundSSLUtils.USER_PRINCIPAL,
  67                 UnboundSSLUtils.USER_PASSWORD);
  68         principals.put(UnboundSSLUtils.KRBTGT_PRINCIPAL, null);
  69         principals.put(service1Principal, null);
  70         principals.put(service2Principal, null);
  71         principals.put(service3Principal, null);
  72 
  73         System.setProperty("java.security.krb5.conf",
  74                UnboundSSLUtils.KRB5_CONF_FILENAME);
  75 
  76         // start a local KDC instance
  77         UnboundSSLUtils.startKDC(UnboundSSLUtils.REALM, principals,
  78                 UnboundSSLUtils.KTAB_FILENAME, UnboundSSLUtils.KtabMode.APPEND);
  79 
  80         System.setProperty("java.security.auth.login.config",
  81                 UnboundSSLUtils.TEST_SRC + UnboundSSLUtils.FS + jaacConfigFile);
  82         System.setProperty("javax.security.auth.useSubjectCredsOnly", "false");
  83 
  84         try (final SSLEchoServer server = SSLEchoServer.init(
  85                 UnboundSSLUtils.TLS_KRB5_FILTER, UnboundSSLUtils.SNI_PATTERN)) {
  86 
  87             // start a server instance
  88             UnboundSSLUtils.startServerWithJaas(server, serverJaasConfig);
  89 
  90             // wait for the server is ready
  91             while (!server.isReady()) {
  92                 Thread.sleep(UnboundSSLUtils.DELAY);
  93             }
  94 
  95             int port = server.getPort();
  96 
  97             // run clients
  98 
  99             // the server should have a permission to handle a request
 100             // with this service principal (there should be an appropriate
 101             // javax.security.auth.kerberos.ServicePermission in policy file)
 102             System.out.println("Connect: SNI hostname = " + service1host
 103                     + ", successful connection is expected");
 104             SSLClient.init(UnboundSSLUtils.HOST, port,
 105                     UnboundSSLUtils.TLS_KRB5_FILTER, service1host).connect();
 106 
 107             // the server should NOT have a permission to handle a request
 108             // with this service principal (there should be an appropriate
 109             // javax.security.auth.kerberos.ServicePermission in policy file)
 110             // handshake failures is expected
 111             System.out.println("Connect: SNI hostname = " + service2host
 112                     + ", connection failure is expected");
 113             try {
 114                 SSLClient.init(UnboundSSLUtils.HOST, port,
 115                         UnboundSSLUtils.TLS_KRB5_FILTER, service2host)
 116                             .connect();
 117                 throw new RuntimeException("Test failed: "
 118                         + "expected IOException not thrown");
 119             } catch (IOException e) {
 120                 System.out.println("Expected exception: " + e);
 121             }
 122 
 123             // the server should have a permission to handle a request
 124             // with this service principal (there should be an appropriate
 125             // javax.security.auth.kerberos.ServicePermission in policy file)
 126             System.out.println("Connect: SNI hostname = " + service3host
 127                     + ", successful connection is expected");
 128             SSLClient.init(UnboundSSLUtils.HOST, port,
 129                     UnboundSSLUtils.TLS_KRB5_FILTER, service3host).connect();
 130         }
 131 
 132         System.out.println("Test passed");
 133     }
 134 }