/**
* Turn the SSO on in Jenkins.
*
* @param allowBasic Allow basic authentication.
*/
private void configureSso(KerberosContainer kdc, boolean allowBasic) {
// Turn Jenkins side debugging on
jenkins.runScript(
"System.setProperty('sun.security.krb5.debug', 'true'); System.setProperty('sun.security.spnego.debug', 'true'); return 42");
JenkinsConfig config = jenkins.getConfigPage();
config.configure();
KerberosGlobalConfig kgc = new KerberosGlobalConfig(config);
kgc.enable();
kgc.krb5Conf(kdc.getKrb5ConfPath());
kgc.loginConf(kdc.getLoginConfPath());
kgc.allowLocalhost(false);
kgc.allowBasic(allowBasic);
config.save();
}
@Test
public void kerberosTicket() throws Exception {
setupRealmUser();
KerberosContainer kdc = startKdc();
configureSso(kdc, false);
jenkins.logout();
// Get TGT
String tokenCache = kdc.getClientTokenCache();
// Correctly negotiate in browser
FirefoxDriver negotiatingDriver = getNegotiatingFirefox(kdc, tokenCache);
negotiatingDriver.get(jenkins.url("/whoAmI").toExternalForm());
String out = negotiatingDriver.getPageSource();
assertThat(out, containsString(AUTHORIZED));
// The global driver is not configured to do so
jenkins.visit("/whoAmI"); // 401 Unauthorized
assertThat(driver.getPageSource(), not(containsString(AUTHORIZED)));
// Non-negotiating request should fail as well
assertUnauthenticatedRequestIsRejected(getBadassHttpClient());
}
private FirefoxDriver getNegotiatingFirefox(KerberosContainer kdc, String tokenCache) {
FirefoxProfile profile = new FirefoxProfile();
profile.setAlwaysLoadNoFocusLib(true);
// Allow auth negotiation for jenkins under test
profile.setPreference("network.negotiate-auth.trusted-uris", jenkins.url.toExternalForm());
profile.setPreference("network.negotiate-auth.delegation-uris", jenkins.url.toExternalForm());
FirefoxBinary binary = new FirefoxBinary();
// Inject config and TGT
binary.setEnvironmentProperty("KRB5CCNAME", tokenCache);
binary.setEnvironmentProperty("KRB5_CONFIG", kdc.getKrb5ConfPath());
// Turn debug on
binary.setEnvironmentProperty("KRB5_TRACE", diag.touch("tracelog").getAbsolutePath());
binary.setEnvironmentProperty("NSPR_LOG_MODULES", "negotiateauth:5");
binary.setEnvironmentProperty(
"NSPR_LOG_FILE", diag.touch("firefox.nego.log").getAbsolutePath());
String display = FallbackConfig.getBrowserDisplay();
if (display != null) {
binary.setEnvironmentProperty("DISPLAY", display);
}
final FirefoxDriver driver = new FirefoxDriver(binary, profile);
cleaner.addTask(
new Statement() {
@Override
public void evaluate() throws Throwable {
try {
driver.quit();
} catch (UnreachableBrowserException ex) {
System.err.println("Browser died already");
ex.printStackTrace();
}
}
@Override
public String toString() {
return "Close Kerberos WebDriver after test";
}
});
return driver;
}
/** Start KDC container populating target dir with generated keytabs and config files. */
private KerberosContainer startKdc() throws IOException {
KerberosContainer kdc = kerberos.get();
File target = diag.mkdirs("target"); // Keep the data for diagnostics
kdc.populateTargetDir(target);
return kdc;
}