7172701: KDC tests cleanup

Reviewed-by: xuelei
2026-05-14 23:49:49 +00:00 · 2012-06-05 17:11:26 +08:00 · 2012-06-05 17:11:26 +08:00 · cef72cc08e
commit cef72cc08e
parent 46d6e76274
5 changed files with 59 additions and 263 deletions
--- a/jdk/test/sun/security/krb5/auto/KDC.java
+++ b/jdk/test/sun/security/krb5/auto/KDC.java
@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2008, 2011, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2008, 2012, Oracle and/or its affiliates. All rights reserved.
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 *
 * This code is free software; you can redistribute it and/or modify it
@ -67,10 +67,6 @@ import sun.security.util.DerValue;
 * <ul>
 * <li>test.kdc.save.ccache
 * </ul>
- * Support policies:
- * <ul>
- * <li>ok-as-delegate
- * </ul>
 * Issues and TODOs:
 * <ol>
 * <li> Generates krb5.conf to be used on another machine, currently the kdc is
@ -178,6 +174,10 @@ public class KDC {
         * Multiple ETYPE-INFO-ENTRY with same etype but different salt
         */
        DUP_ETYPE,
+        /**
+         * What backend server can be delegated to
+         */
+        OK_AS_DELEGATE,
    };

    static {
@ -232,7 +232,11 @@ public class KDC {
     * @param obj the value
     */
    public void setOption(Option key, Object value) {
-        options.put(key, value);
+        if (value == null) {
+            options.remove(key);
+        } else {
+            options.put(key, value);
+        }
    }

    /**
@ -579,53 +583,6 @@ public class KDC {
        }
    }

-    private Map<String,String> policies = new HashMap<>();
-
-    public void setPolicy(String rule, String value) {
-        if (value == null) {
-            policies.remove(rule);
-        } else {
-            policies.put(rule, value);
-        }
-    }
-    /**
-     * If the provided client/server pair matches a rule
-     *
-     * A system property named test.kdc.policy.RULE will be consulted.
-     * If it's unset, returns false. If its value is "", any pair is
-     * matched. Otherwise, it should contains the server name matched.
-     *
-     * TODO: client name is not used currently.
-     *
-     * @param c client name
-     * @param s server name
-     * @param rule rule name
-     * @return if a match is found
-     */
-    private boolean configMatch(String c, String s, String rule) {
-        String policy = policies.get(rule);
-        boolean result = false;
-        if (policy == null) {
-            result = false;
-        } else if (policy.length() == 0) {
-            result = true;
-        } else {
-            String[] names = policy.split("\\s+");
-            for (String name: names) {
-                if (name.equals(s)) {
-                    result = true;
-                    break;
-                }
-            }
-        }
-        if (result) {
-            System.out.printf(">>>> Policy match result (%s vs %s on %s) %b\n",
-                    c, s, rule, result);
-        }
-        return result;
-    }
-
-
    /**
     * Processes an incoming request and generates a response.
     * @param in the request
@ -724,7 +681,10 @@ public class KDC {
                bFlags[Krb5.TKT_OPTS_MAY_POSTDATE] = true;
            }

-            if (configMatch("", service.getNameString(), "ok-as-delegate")) {
+            String okAsDelegate = (String)options.get(Option.OK_AS_DELEGATE);
+            if (okAsDelegate != null && (
+                    okAsDelegate.isEmpty() ||
+                    okAsDelegate.contains(service.getNameString()))) {
                bFlags[Krb5.TKT_OPTS_DELEGATE] = true;
            }
            bFlags[Krb5.TKT_OPTS_INITIAL] = true;
--- a/jdk/test/sun/security/krb5/auto/OkAsDelegate.java
+++ b/jdk/test/sun/security/krb5/auto/OkAsDelegate.java
@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2009, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2009, 2012, Oracle and/or its affiliates. All rights reserved.
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 *
 * This code is free software; you can redistribute it and/or modify it
@ -21,6 +21,32 @@
 * questions.
 */

+/*
+ * @test
+ * @bug 6853328 7172701
+ * @run main/othervm OkAsDelegate false true true false false false
+ *      FORWARDABLE ticket not allowed, always fail
+ * @run main/othervm OkAsDelegate true false false false false false
+ *      Service ticket no OK-AS-DELEGATE. Request nothing, gain nothing
+ * @run main/othervm OkAsDelegate true false true false false false
+ *      Service ticket no OK-AS-DELEGATE. Request deleg policy, gain nothing
+ * @run main/othervm OkAsDelegate true true false true false true
+ *      Service ticket no OK-AS-DELEGATE. Request deleg, granted
+ * @run main/othervm OkAsDelegate true true true true false true
+ *      Service ticket no OK-AS-DELEGATE. Request deleg and deleg policy, granted, with info not by policy
+ * @run main/othervm -Dtest.kdc.policy.ok-as-delegate OkAsDelegate true false true true true true
+ *      Service ticket has OK-AS-DELEGATE. Request deleg policy, granted
+ * @run main/othervm -Dtest.kdc.policy.ok-as-delegate OkAsDelegate true true true true true true
+ *      Service ticket has OK-AS-DELEGATE. granted, with info by policy
+ * @run main/othervm -Dtest.spnego OkAsDelegate false true true false false false
+ * @run main/othervm -Dtest.spnego OkAsDelegate true false false false false false
+ * @run main/othervm -Dtest.spnego OkAsDelegate true false true false false false
+ * @run main/othervm -Dtest.spnego OkAsDelegate true true false true false true
+ * @run main/othervm -Dtest.spnego OkAsDelegate true true true true false true
+ * @run main/othervm -Dtest.spnego -Dtest.kdc.policy.ok-as-delegate OkAsDelegate true false true true true true
+ * @run main/othervm -Dtest.spnego -Dtest.kdc.policy.ok-as-delegate OkAsDelegate true true true true true true
+ * @summary Support OK-AS-DELEGATE flag
+ */
 import com.sun.security.jgss.ExtendedGSSContext;
 import org.ietf.jgss.GSSCredential;
 import org.ietf.jgss.GSSException;
@ -52,7 +78,7 @@ public class OkAsDelegate {
            boolean delegated
            ) throws Exception {
        OneKDC kdc = new OneKDC(null);
-        kdc.setPolicy("ok-as-delegate",
+        kdc.setOption(KDC.Option.OK_AS_DELEGATE,
                System.getProperty("test.kdc.policy.ok-as-delegate"));
        kdc.writeJAASConf();
        if (!forwardable) {
--- a/jdk/test/sun/security/krb5/auto/OkAsDelegateXRealm.java
+++ b/jdk/test/sun/security/krb5/auto/OkAsDelegateXRealm.java
@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2009, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2009, 2012, Oracle and/or its affiliates. All rights reserved.
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 *
 * This code is free software; you can redistribute it and/or modify it
@ -21,8 +21,19 @@
 * questions.
 */

-import com.sun.security.jgss.ExtendedGSSContext;
-import java.io.File;
+/*
+ * @test
+ * @bug 6853328 7172701
+ * @run main/othervm OkAsDelegateXRealm false
+ *      KDC no OK-AS-DELEGATE, fail
+ * @run main/othervm -Dtest.kdc.policy.ok-as-delegate OkAsDelegateXRealm true
+ *      KDC set OK-AS-DELEGATE for all, succeed
+ * @run main/othervm -Dtest.kdc.policy.ok-as-delegate=host/host.r3.local OkAsDelegateXRealm false
+ *      KDC set OK-AS-DELEGATE for host/host.r3.local only, fail
+ * @run main/othervm -Dtest.kdc.policy.ok-as-delegate=host/host.r3.local,krbtgt/R2,krbtgt/R3 OkAsDelegateXRealm true
+ *      KDC set OK-AS-DELEGATE for all three, succeed
+ * @summary Support OK-AS-DELEGATE flag
+ */
 import java.io.FileOutputStream;
 import java.io.IOException;
 import java.security.Security;
@ -31,11 +42,7 @@ import javax.security.auth.callback.CallbackHandler;
 import javax.security.auth.callback.NameCallback;
 import javax.security.auth.callback.PasswordCallback;
 import javax.security.auth.callback.UnsupportedCallbackException;
-import org.ietf.jgss.GSSContext;
-import org.ietf.jgss.GSSCredential;
 import org.ietf.jgss.GSSException;
-import org.ietf.jgss.GSSManager;
-import org.ietf.jgss.GSSName;
 import sun.security.jgss.GSSUtil;
 import sun.security.krb5.Config;

@ -50,21 +57,21 @@ public class OkAsDelegateXRealm implements CallbackHandler {
        // Create and start the KDCs. Here we have 3 realms: R1, R2 and R3.
        // R1 is trusted by R2, and R2 trusted by R3.
        KDC kdc1 = KDC.create("R1");
-        kdc1.setPolicy("ok-as-delegate",
+        kdc1.setOption(KDC.Option.OK_AS_DELEGATE,
                System.getProperty("test.kdc.policy.ok-as-delegate"));
        kdc1.addPrincipal("dummy", "bogus".toCharArray());
        kdc1.addPrincipalRandKey("krbtgt/R1");
        kdc1.addPrincipal("krbtgt/R2@R1", "r1->r2".toCharArray());

        KDC kdc2 = KDC.create("R2");
-        kdc2.setPolicy("ok-as-delegate",
+        kdc2.setOption(KDC.Option.OK_AS_DELEGATE,
                System.getProperty("test.kdc.policy.ok-as-delegate"));
        kdc2.addPrincipalRandKey("krbtgt/R2");
        kdc2.addPrincipal("krbtgt/R2@R1", "r1->r2".toCharArray());
        kdc2.addPrincipal("krbtgt/R3@R2", "r2->r3".toCharArray());

        KDC kdc3 = KDC.create("R3");
-        kdc3.setPolicy("ok-as-delegate",
+        kdc3.setOption(KDC.Option.OK_AS_DELEGATE,
                System.getProperty("test.kdc.policy.ok-as-delegate"));
        kdc3.addPrincipalRandKey("krbtgt/R3");
        kdc3.addPrincipal("krbtgt/R3@R2", "r2->r3".toCharArray());
--- a/jdk/test/sun/security/krb5/auto/ok-as-delegate-xrealm.sh
+++ b/jdk/test/sun/security/krb5/auto/ok-as-delegate-xrealm.sh
@ -1,79 +0,0 @@
-#
-# Copyright (c) 2009, Oracle and/or its affiliates. All rights reserved.
-# DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
-#
-# This code is free software; you can redistribute it and/or modify it
-# under the terms of the GNU General Public License version 2 only, as
-# published by the Free Software Foundation.
-#
-# This code is distributed in the hope that it will be useful, but WITHOUT
-# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
-# FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
-# version 2 for more details (a copy is included in the LICENSE file that
-# accompanied this code).
-#
-# You should have received a copy of the GNU General Public License version
-# 2 along with this work; if not, write to the Free Software Foundation,
-# Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
-#
-# Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
-# or visit www.oracle.com if you need additional information or have any
-# questions.
-#
-
-# @test
-# @bug 6853328
-# @summary Support OK-AS-DELEGATE flag
-# @run shell/timeout=600 ok-as-delegate-xrealm.sh
-#
-
-if [ "${TESTSRC}" = "" ] ; then
-  TESTSRC=`dirname $0`
-fi
-
-if [ "${TESTJAVA}" = "" ] ; then
-  JAVAC_CMD=`which javac`
-  TESTJAVA=`dirname $JAVAC_CMD`/..
-fi
-
-# set platform-dependent variables
-OS=`uname -s`
-case "$OS" in
-  Windows_* )
-    FS="\\"
-    SEP=";"
-    ;;
-  CYGWIN* )
-    FS="/"
-    SEP=";"
-    ;;
-  * )
-    FS="/"
-    SEP=":"
-    ;;
-esac
-
-${TESTJAVA}${FS}bin${FS}javac -XDignore.symbol.file -d . \
-    ${TESTSRC}${FS}OkAsDelegateXRealm.java \
-    ${TESTSRC}${FS}KDC.java \
-    ${TESTSRC}${FS}OneKDC.java \
-    ${TESTSRC}${FS}Action.java \
-    ${TESTSRC}${FS}Context.java \
-    || exit 10
-
-# Add $TESTSRC to classpath so that customized nameservice can be used
-J="${TESTJAVA}${FS}bin${FS}java -cp $TESTSRC${SEP}."
-
-# KDC no OK-AS-DELEGATE, fail
-$J OkAsDelegateXRealm false || exit 1
-
-# KDC set OK-AS-DELEGATE for all, succeed
-$J -Dtest.kdc.policy.ok-as-delegate OkAsDelegateXRealm true || exit 2
-
-# KDC set OK-AS-DELEGATE for host/host.r3.local only, fail
-$J -Dtest.kdc.policy.ok-as-delegate=host/host.r3.local OkAsDelegateXRealm false || exit 3
-
-# KDC set OK-AS-DELEGATE for all, succeed
-$J "-Dtest.kdc.policy.ok-as-delegate=host/host.r3.local krbtgt/R2 krbtgt/R3" OkAsDelegateXRealm true || exit 4
-
-exit 0
--- a/jdk/test/sun/security/krb5/auto/ok-as-delegate.sh
+++ b/jdk/test/sun/security/krb5/auto/ok-as-delegate.sh
@ -1,118 +0,0 @@
-#
-# Copyright (c) 2009, Oracle and/or its affiliates. All rights reserved.
-# DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
-#
-# This code is free software; you can redistribute it and/or modify it
-# under the terms of the GNU General Public License version 2 only, as
-# published by the Free Software Foundation.
-#
-# This code is distributed in the hope that it will be useful, but WITHOUT
-# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
-# FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
-# version 2 for more details (a copy is included in the LICENSE file that
-# accompanied this code).
-#
-# You should have received a copy of the GNU General Public License version
-# 2 along with this work; if not, write to the Free Software Foundation,
-# Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
-#
-# Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
-# or visit www.oracle.com if you need additional information or have any
-# questions.
-#
-
-# @test
-# @bug 6853328
-# @summary Support OK-AS-DELEGATE flag
-# @run shell/timeout=600 ok-as-delegate.sh
-#
-
-if [ "${TESTSRC}" = "" ] ; then
-  TESTSRC=`dirname $0`
-fi
-
-if [ "${TESTJAVA}" = "" ] ; then
-  JAVAC_CMD=`which javac`
-  TESTJAVA=`dirname $JAVAC_CMD`/..
-fi
-
-# set platform-dependent variables
-OS=`uname -s`
-case "$OS" in
-  Windows_* )
-    FS="\\"
-    SEP=";"
-    ;;
-  CYGWIN* )
-    FS="/"
-    SEP=";"
-    ;;
-  * )
-    FS="/"
-    SEP=":"
-    ;;
-esac
-
-${TESTJAVA}${FS}bin${FS}javac -XDignore.symbol.file -d . \
-    ${TESTSRC}${FS}OkAsDelegate.java \
-    ${TESTSRC}${FS}KDC.java \
-    ${TESTSRC}${FS}OneKDC.java \
-    ${TESTSRC}${FS}Action.java \
-    ${TESTSRC}${FS}Context.java \
-    || exit 10
-
-# Testing Kerberos 5
-
-# Add $TESTSRC to classpath so that customized nameservice can be used
-J="${TESTJAVA}${FS}bin${FS}java -cp $TESTSRC${SEP}. OkAsDelegate"
-JOK="${TESTJAVA}${FS}bin${FS}java -cp $TESTSRC${SEP}. -Dtest.kdc.policy.ok-as-delegate OkAsDelegate"
-
-# FORWARDABLE ticket not allowed, always fail
-$J false true true false false false || exit 1
-
-# Service ticket no OK-AS-DELEGATE
-
-# Request nothing, gain nothing
-$J true false false false false false || exit 2
-# Request deleg policy, gain nothing
-$J true false true false false false || exit 3
-# Request deleg, granted
-$J true true false true false true || exit 4
-# Request deleg and deleg policy, granted, with info not by policy
-$J true true true true false true || exit 5
-
-# Service ticket has OK-AS-DELEGATE
-
-# Request deleg policy, granted
-$JOK true false true true true true || exit 6
-# Request deleg and deleg policy, granted, with info by policy
-$JOK true true true true true true || exit 7
-
-# Testing SPNEGO
-
-# Add $TESTSRC to classpath so that customized nameservice can be used
-J="${TESTJAVA}${FS}bin${FS}java -cp $TESTSRC${SEP}. -Dtest.spnego OkAsDelegate"
-JOK="${TESTJAVA}${FS}bin${FS}java -cp $TESTSRC${SEP}. -Dtest.spnego -Dtest.kdc.policy.ok-as-delegate OkAsDelegate"
-
-# FORWARDABLE ticket not allowed, always fail
-$J false true true false false false || exit 11
-
-# Service ticket no OK-AS-DELEGATE
-
-# Request nothing, gain nothing
-$J true false false false false false || exit 12
-# Request deleg policy, gain nothing
-$J true false true false false false || exit 13
-# Request deleg, granted
-$J true true false true false true || exit 14
-# Request deleg and deleg policy, granted, with info not by policy
-$J true true true true false true || exit 15
-
-# Service ticket has OK-AS-DELEGATE
-
-# Request deleg policy, granted
-$JOK true false true true true true || exit 16
-# Request deleg and deleg policy, granted, with info by policy
-$JOK true true true true true true || exit 17
-
-exit 0