public static void main(String[] args) throws Exception {
Oid mech;
if (args[0].equals("spnego")) {
mech = GSSUtil.GSS_SPNEGO_MECH_OID;
} else if (args[0].contains("krb5")) {
mech = GSSUtil.GSS_KRB5_MECH_OID;
} else {
throw new Exception("Unknown mech");
}
OneKDC kdc = new OneKDC(null);
kdc.writeJAASConf();
kdc.setOption(KDC.Option.PREAUTH_REQUIRED, false);
Map<String, List<String>> map = new HashMap<>();
map.put(
OneKDC.SERVER + "@" + OneKDC.REALM,
Arrays.asList(new String[] {OneKDC.BACKEND + "@" + OneKDC.REALM}));
kdc.setOption(KDC.Option.ALLOW_S4U2PROXY, map);
Context c, s, b;
c = Context.fromJAAS("client");
s = Context.fromJAAS("server");
b = Context.fromJAAS("backend");
c.startAsClient(OneKDC.SERVER, mech);
s.startAsServer(null, mech, false);
Context.handshake(c, s);
Context p = s.delegated();
p.startAsClient(OneKDC.BACKEND, mech);
b.startAsServer(mech);
Context.handshake(p, b);
p.startAsClient(OneKDC.BACKEND, mech);
b.startAsServer(mech);
Context.handshake(p, b);
}
void go() throws Exception {
OneKDC k = new OneKDC(null);
k.writeJAASConf();
Files.delete(Paths.get(OneKDC.KTAB));
// Starts with no keytab
c = Context.fromJAAS("client");
s = Context.fromJAAS("com.sun.security.jgss.krb5.accept");
// Test 1: read new key 1 from keytab
k.addPrincipal(OneKDC.SERVER, "pass1".toCharArray());
k.writeKtab(OneKDC.KTAB);
connect();
// Test 2: service key cached, find 1 in keytab (now contains 1 and 2)
k.addPrincipal(OneKDC.SERVER, "pass2".toCharArray());
k.appendKtab(OneKDC.KTAB);
connect();
// Test 3: re-login. Now find 2 in keytab
c = Context.fromJAAS("client");
connect();
// Test 4: re-login, KDC use 3 this time.
c = Context.fromJAAS("client");
// Put 3 and 4 into keytab but keep the real key back to 3.
k.addPrincipal(OneKDC.SERVER, "pass3".toCharArray());
k.appendKtab(OneKDC.KTAB);
k.addPrincipal(OneKDC.SERVER, "pass4".toCharArray());
k.appendKtab(OneKDC.KTAB);
k.addPrincipal(OneKDC.SERVER, "pass3".toCharArray());
connect();
// Test 5: invalid keytab file, should ignore
try (FileOutputStream fos = new FileOutputStream(OneKDC.KTAB)) {
fos.write("BADBADBAD".getBytes());
}
connect();
// Test 6: delete keytab file, identical to revoke all
Files.delete(Paths.get(OneKDC.KTAB));
try {
connect();
throw new Exception("Should not success");
} catch (GSSException gsse) {
System.out.println(gsse);
KrbException ke = (KrbException) gsse.getCause();
// KrbApReq.authenticate(*) if (dkey == null)...
// This should have been Krb5.KRB_AP_ERR_NOKEY
if (ke.returnCode() != Krb5.API_INVALID_ARG) {
throw new Exception("Not expected failure code: " + ke.returnCode());
}
}
// Test 7: 3 revoked, should fail (now contains only 5)
k.addPrincipal(OneKDC.SERVER, "pass5".toCharArray());
k.writeKtab(OneKDC.KTAB); // overwrite keytab, which means
// old key is revoked
try {
connect();
throw new Exception("Should not success");
} catch (GSSException gsse) {
System.out.println(gsse);
// Since 7197159, different kvno is accepted, this return code
// will never be thrown out again.
// KrbException ke = (KrbException)gsse.getCause();
// if (ke.returnCode() != Krb5.KRB_AP_ERR_BADKEYVER) {
// throw new Exception("Not expected failure code: " +
// ke.returnCode());
// }
}
// Test 8: an empty KDC means revoke all
KDC.create("EMPTY.REALM").writeKtab(OneKDC.KTAB);
try {
connect();
throw new Exception("Should not success");
} catch (GSSException gsse) {
System.out.println(gsse);
KrbException ke = (KrbException) gsse.getCause();
// KrbApReq.authenticate(*) if (dkey == null)...
// This should have been Krb5.KRB_AP_ERR_NOKEY
if (ke.returnCode() != Krb5.API_INVALID_ARG) {
throw new Exception("Not expected failure code: " + ke.returnCode());
}
}
}
