diff --git a/jdk/test/sun/security/krb5/auto/KDC.java b/jdk/test/sun/security/krb5/auto/KDC.java index 917c56d7b0f..05efabdcb09 100644 --- a/jdk/test/sun/security/krb5/auto/KDC.java +++ b/jdk/test/sun/security/krb5/auto/KDC.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2008, 2011, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2008, 2012, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -67,10 +67,6 @@ import sun.security.util.DerValue; * - * Support policies: - * * Issues and TODOs: *
    *
  1. Generates krb5.conf to be used on another machine, currently the kdc is @@ -178,6 +174,10 @@ public class KDC { * Multiple ETYPE-INFO-ENTRY with same etype but different salt */ DUP_ETYPE, + /** + * What backend server can be delegated to + */ + OK_AS_DELEGATE, }; static { @@ -232,7 +232,11 @@ public class KDC { * @param obj the value */ public void setOption(Option key, Object value) { - options.put(key, value); + if (value == null) { + options.remove(key); + } else { + options.put(key, value); + } } /** @@ -579,53 +583,6 @@ public class KDC { } } - private Map policies = new HashMap<>(); - - public void setPolicy(String rule, String value) { - if (value == null) { - policies.remove(rule); - } else { - policies.put(rule, value); - } - } - /** - * If the provided client/server pair matches a rule - * - * A system property named test.kdc.policy.RULE will be consulted. - * If it's unset, returns false. If its value is "", any pair is - * matched. Otherwise, it should contains the server name matched. - * - * TODO: client name is not used currently. - * - * @param c client name - * @param s server name - * @param rule rule name - * @return if a match is found - */ - private boolean configMatch(String c, String s, String rule) { - String policy = policies.get(rule); - boolean result = false; - if (policy == null) { - result = false; - } else if (policy.length() == 0) { - result = true; - } else { - String[] names = policy.split("\\s+"); - for (String name: names) { - if (name.equals(s)) { - result = true; - break; - } - } - } - if (result) { - System.out.printf(">>>> Policy match result (%s vs %s on %s) %b\n", - c, s, rule, result); - } - return result; - } - - /** * Processes an incoming request and generates a response. * @param in the request @@ -724,7 +681,10 @@ public class KDC { bFlags[Krb5.TKT_OPTS_MAY_POSTDATE] = true; } - if (configMatch("", service.getNameString(), "ok-as-delegate")) { + String okAsDelegate = (String)options.get(Option.OK_AS_DELEGATE); + if (okAsDelegate != null && ( + okAsDelegate.isEmpty() || + okAsDelegate.contains(service.getNameString()))) { bFlags[Krb5.TKT_OPTS_DELEGATE] = true; } bFlags[Krb5.TKT_OPTS_INITIAL] = true; diff --git a/jdk/test/sun/security/krb5/auto/OkAsDelegate.java b/jdk/test/sun/security/krb5/auto/OkAsDelegate.java index 435af260f06..90376341f2d 100644 --- a/jdk/test/sun/security/krb5/auto/OkAsDelegate.java +++ b/jdk/test/sun/security/krb5/auto/OkAsDelegate.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2009, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2009, 2012, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -21,6 +21,32 @@ * questions. */ +/* + * @test + * @bug 6853328 7172701 + * @run main/othervm OkAsDelegate false true true false false false + * FORWARDABLE ticket not allowed, always fail + * @run main/othervm OkAsDelegate true false false false false false + * Service ticket no OK-AS-DELEGATE. Request nothing, gain nothing + * @run main/othervm OkAsDelegate true false true false false false + * Service ticket no OK-AS-DELEGATE. Request deleg policy, gain nothing + * @run main/othervm OkAsDelegate true true false true false true + * Service ticket no OK-AS-DELEGATE. Request deleg, granted + * @run main/othervm OkAsDelegate true true true true false true + * Service ticket no OK-AS-DELEGATE. Request deleg and deleg policy, granted, with info not by policy + * @run main/othervm -Dtest.kdc.policy.ok-as-delegate OkAsDelegate true false true true true true + * Service ticket has OK-AS-DELEGATE. Request deleg policy, granted + * @run main/othervm -Dtest.kdc.policy.ok-as-delegate OkAsDelegate true true true true true true + * Service ticket has OK-AS-DELEGATE. granted, with info by policy + * @run main/othervm -Dtest.spnego OkAsDelegate false true true false false false + * @run main/othervm -Dtest.spnego OkAsDelegate true false false false false false + * @run main/othervm -Dtest.spnego OkAsDelegate true false true false false false + * @run main/othervm -Dtest.spnego OkAsDelegate true true false true false true + * @run main/othervm -Dtest.spnego OkAsDelegate true true true true false true + * @run main/othervm -Dtest.spnego -Dtest.kdc.policy.ok-as-delegate OkAsDelegate true false true true true true + * @run main/othervm -Dtest.spnego -Dtest.kdc.policy.ok-as-delegate OkAsDelegate true true true true true true + * @summary Support OK-AS-DELEGATE flag + */ import com.sun.security.jgss.ExtendedGSSContext; import org.ietf.jgss.GSSCredential; import org.ietf.jgss.GSSException; @@ -52,7 +78,7 @@ public class OkAsDelegate { boolean delegated ) throws Exception { OneKDC kdc = new OneKDC(null); - kdc.setPolicy("ok-as-delegate", + kdc.setOption(KDC.Option.OK_AS_DELEGATE, System.getProperty("test.kdc.policy.ok-as-delegate")); kdc.writeJAASConf(); if (!forwardable) { diff --git a/jdk/test/sun/security/krb5/auto/OkAsDelegateXRealm.java b/jdk/test/sun/security/krb5/auto/OkAsDelegateXRealm.java index 7d855996839..4607619ec31 100644 --- a/jdk/test/sun/security/krb5/auto/OkAsDelegateXRealm.java +++ b/jdk/test/sun/security/krb5/auto/OkAsDelegateXRealm.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2009, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2009, 2012, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -21,8 +21,19 @@ * questions. */ -import com.sun.security.jgss.ExtendedGSSContext; -import java.io.File; +/* + * @test + * @bug 6853328 7172701 + * @run main/othervm OkAsDelegateXRealm false + * KDC no OK-AS-DELEGATE, fail + * @run main/othervm -Dtest.kdc.policy.ok-as-delegate OkAsDelegateXRealm true + * KDC set OK-AS-DELEGATE for all, succeed + * @run main/othervm -Dtest.kdc.policy.ok-as-delegate=host/host.r3.local OkAsDelegateXRealm false + * KDC set OK-AS-DELEGATE for host/host.r3.local only, fail + * @run main/othervm -Dtest.kdc.policy.ok-as-delegate=host/host.r3.local,krbtgt/R2,krbtgt/R3 OkAsDelegateXRealm true + * KDC set OK-AS-DELEGATE for all three, succeed + * @summary Support OK-AS-DELEGATE flag + */ import java.io.FileOutputStream; import java.io.IOException; import java.security.Security; @@ -31,11 +42,7 @@ import javax.security.auth.callback.CallbackHandler; import javax.security.auth.callback.NameCallback; import javax.security.auth.callback.PasswordCallback; import javax.security.auth.callback.UnsupportedCallbackException; -import org.ietf.jgss.GSSContext; -import org.ietf.jgss.GSSCredential; import org.ietf.jgss.GSSException; -import org.ietf.jgss.GSSManager; -import org.ietf.jgss.GSSName; import sun.security.jgss.GSSUtil; import sun.security.krb5.Config; @@ -50,21 +57,21 @@ public class OkAsDelegateXRealm implements CallbackHandler { // Create and start the KDCs. Here we have 3 realms: R1, R2 and R3. // R1 is trusted by R2, and R2 trusted by R3. KDC kdc1 = KDC.create("R1"); - kdc1.setPolicy("ok-as-delegate", + kdc1.setOption(KDC.Option.OK_AS_DELEGATE, System.getProperty("test.kdc.policy.ok-as-delegate")); kdc1.addPrincipal("dummy", "bogus".toCharArray()); kdc1.addPrincipalRandKey("krbtgt/R1"); kdc1.addPrincipal("krbtgt/R2@R1", "r1->r2".toCharArray()); KDC kdc2 = KDC.create("R2"); - kdc2.setPolicy("ok-as-delegate", + kdc2.setOption(KDC.Option.OK_AS_DELEGATE, System.getProperty("test.kdc.policy.ok-as-delegate")); kdc2.addPrincipalRandKey("krbtgt/R2"); kdc2.addPrincipal("krbtgt/R2@R1", "r1->r2".toCharArray()); kdc2.addPrincipal("krbtgt/R3@R2", "r2->r3".toCharArray()); KDC kdc3 = KDC.create("R3"); - kdc3.setPolicy("ok-as-delegate", + kdc3.setOption(KDC.Option.OK_AS_DELEGATE, System.getProperty("test.kdc.policy.ok-as-delegate")); kdc3.addPrincipalRandKey("krbtgt/R3"); kdc3.addPrincipal("krbtgt/R3@R2", "r2->r3".toCharArray()); diff --git a/jdk/test/sun/security/krb5/auto/ok-as-delegate-xrealm.sh b/jdk/test/sun/security/krb5/auto/ok-as-delegate-xrealm.sh deleted file mode 100644 index eb66f1c59ad..00000000000 --- a/jdk/test/sun/security/krb5/auto/ok-as-delegate-xrealm.sh +++ /dev/null @@ -1,79 +0,0 @@ -# -# Copyright (c) 2009, Oracle and/or its affiliates. All rights reserved. -# DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. -# -# This code is free software; you can redistribute it and/or modify it -# under the terms of the GNU General Public License version 2 only, as -# published by the Free Software Foundation. -# -# This code is distributed in the hope that it will be useful, but WITHOUT -# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or -# FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License -# version 2 for more details (a copy is included in the LICENSE file that -# accompanied this code). -# -# You should have received a copy of the GNU General Public License version -# 2 along with this work; if not, write to the Free Software Foundation, -# Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. -# -# Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA -# or visit www.oracle.com if you need additional information or have any -# questions. -# - -# @test -# @bug 6853328 -# @summary Support OK-AS-DELEGATE flag -# @run shell/timeout=600 ok-as-delegate-xrealm.sh -# - -if [ "${TESTSRC}" = "" ] ; then - TESTSRC=`dirname $0` -fi - -if [ "${TESTJAVA}" = "" ] ; then - JAVAC_CMD=`which javac` - TESTJAVA=`dirname $JAVAC_CMD`/.. -fi - -# set platform-dependent variables -OS=`uname -s` -case "$OS" in - Windows_* ) - FS="\\" - SEP=";" - ;; - CYGWIN* ) - FS="/" - SEP=";" - ;; - * ) - FS="/" - SEP=":" - ;; -esac - -${TESTJAVA}${FS}bin${FS}javac -XDignore.symbol.file -d . \ - ${TESTSRC}${FS}OkAsDelegateXRealm.java \ - ${TESTSRC}${FS}KDC.java \ - ${TESTSRC}${FS}OneKDC.java \ - ${TESTSRC}${FS}Action.java \ - ${TESTSRC}${FS}Context.java \ - || exit 10 - -# Add $TESTSRC to classpath so that customized nameservice can be used -J="${TESTJAVA}${FS}bin${FS}java -cp $TESTSRC${SEP}." - -# KDC no OK-AS-DELEGATE, fail -$J OkAsDelegateXRealm false || exit 1 - -# KDC set OK-AS-DELEGATE for all, succeed -$J -Dtest.kdc.policy.ok-as-delegate OkAsDelegateXRealm true || exit 2 - -# KDC set OK-AS-DELEGATE for host/host.r3.local only, fail -$J -Dtest.kdc.policy.ok-as-delegate=host/host.r3.local OkAsDelegateXRealm false || exit 3 - -# KDC set OK-AS-DELEGATE for all, succeed -$J "-Dtest.kdc.policy.ok-as-delegate=host/host.r3.local krbtgt/R2 krbtgt/R3" OkAsDelegateXRealm true || exit 4 - -exit 0 diff --git a/jdk/test/sun/security/krb5/auto/ok-as-delegate.sh b/jdk/test/sun/security/krb5/auto/ok-as-delegate.sh deleted file mode 100644 index 592bf491bf2..00000000000 --- a/jdk/test/sun/security/krb5/auto/ok-as-delegate.sh +++ /dev/null @@ -1,118 +0,0 @@ -# -# Copyright (c) 2009, Oracle and/or its affiliates. All rights reserved. -# DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. -# -# This code is free software; you can redistribute it and/or modify it -# under the terms of the GNU General Public License version 2 only, as -# published by the Free Software Foundation. -# -# This code is distributed in the hope that it will be useful, but WITHOUT -# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or -# FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License -# version 2 for more details (a copy is included in the LICENSE file that -# accompanied this code). -# -# You should have received a copy of the GNU General Public License version -# 2 along with this work; if not, write to the Free Software Foundation, -# Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. -# -# Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA -# or visit www.oracle.com if you need additional information or have any -# questions. -# - -# @test -# @bug 6853328 -# @summary Support OK-AS-DELEGATE flag -# @run shell/timeout=600 ok-as-delegate.sh -# - -if [ "${TESTSRC}" = "" ] ; then - TESTSRC=`dirname $0` -fi - -if [ "${TESTJAVA}" = "" ] ; then - JAVAC_CMD=`which javac` - TESTJAVA=`dirname $JAVAC_CMD`/.. -fi - -# set platform-dependent variables -OS=`uname -s` -case "$OS" in - Windows_* ) - FS="\\" - SEP=";" - ;; - CYGWIN* ) - FS="/" - SEP=";" - ;; - * ) - FS="/" - SEP=":" - ;; -esac - -${TESTJAVA}${FS}bin${FS}javac -XDignore.symbol.file -d . \ - ${TESTSRC}${FS}OkAsDelegate.java \ - ${TESTSRC}${FS}KDC.java \ - ${TESTSRC}${FS}OneKDC.java \ - ${TESTSRC}${FS}Action.java \ - ${TESTSRC}${FS}Context.java \ - || exit 10 - -# Testing Kerberos 5 - -# Add $TESTSRC to classpath so that customized nameservice can be used -J="${TESTJAVA}${FS}bin${FS}java -cp $TESTSRC${SEP}. OkAsDelegate" -JOK="${TESTJAVA}${FS}bin${FS}java -cp $TESTSRC${SEP}. -Dtest.kdc.policy.ok-as-delegate OkAsDelegate" - -# FORWARDABLE ticket not allowed, always fail -$J false true true false false false || exit 1 - -# Service ticket no OK-AS-DELEGATE - -# Request nothing, gain nothing -$J true false false false false false || exit 2 -# Request deleg policy, gain nothing -$J true false true false false false || exit 3 -# Request deleg, granted -$J true true false true false true || exit 4 -# Request deleg and deleg policy, granted, with info not by policy -$J true true true true false true || exit 5 - -# Service ticket has OK-AS-DELEGATE - -# Request deleg policy, granted -$JOK true false true true true true || exit 6 -# Request deleg and deleg policy, granted, with info by policy -$JOK true true true true true true || exit 7 - -# Testing SPNEGO - -# Add $TESTSRC to classpath so that customized nameservice can be used -J="${TESTJAVA}${FS}bin${FS}java -cp $TESTSRC${SEP}. -Dtest.spnego OkAsDelegate" -JOK="${TESTJAVA}${FS}bin${FS}java -cp $TESTSRC${SEP}. -Dtest.spnego -Dtest.kdc.policy.ok-as-delegate OkAsDelegate" - -# FORWARDABLE ticket not allowed, always fail -$J false true true false false false || exit 11 - -# Service ticket no OK-AS-DELEGATE - -# Request nothing, gain nothing -$J true false false false false false || exit 12 -# Request deleg policy, gain nothing -$J true false true false false false || exit 13 -# Request deleg, granted -$J true true false true false true || exit 14 -# Request deleg and deleg policy, granted, with info not by policy -$J true true true true false true || exit 15 - -# Service ticket has OK-AS-DELEGATE - -# Request deleg policy, granted -$JOK true false true true true true || exit 16 -# Request deleg and deleg policy, granted, with info by policy -$JOK true true true true true true || exit 17 - -exit 0