|
1 /* |
|
2 * Copyright (c) 2012, 2016, Oracle and/or its affiliates. All rights reserved. |
|
3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. |
|
4 * |
|
5 * This code is free software; you can redistribute it and/or modify it |
|
6 * under the terms of the GNU General Public License version 2 only, as |
|
7 * published by the Free Software Foundation. |
|
8 * |
|
9 * This code is distributed in the hope that it will be useful, but WITHOUT |
|
10 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or |
|
11 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License |
|
12 * version 2 for more details (a copy is included in the LICENSE file that |
|
13 * accompanied this code). |
|
14 * |
|
15 * You should have received a copy of the GNU General Public License version |
|
16 * 2 along with this work; if not, write to the Free Software Foundation, |
|
17 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. |
|
18 * |
|
19 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA |
|
20 * or visit www.oracle.com if you need additional information or have any |
|
21 * questions. |
|
22 */ |
|
23 |
|
24 /* |
|
25 * @test |
|
26 * @bug 8044500 |
|
27 * @summary Add kinit options and krb5.conf flags that allow users to |
|
28 * obtain renewable tickets and specify ticket lifetimes |
|
29 * @library ../../../../java/security/testlibrary/ |
|
30 * @compile -XDignore.symbol.file Renewal.java |
|
31 * @run main/othervm Renewal |
|
32 */ |
|
33 |
|
34 import sun.security.krb5.Config; |
|
35 import sun.security.krb5.internal.ccache.Credentials; |
|
36 import sun.security.krb5.internal.ccache.FileCredentialsCache; |
|
37 |
|
38 import javax.security.auth.kerberos.KerberosTicket; |
|
39 import java.util.Date; |
|
40 import java.util.Random; |
|
41 import java.util.Set; |
|
42 |
|
43 // The basic krb5 test skeleton you can copy from |
|
44 public class Renewal { |
|
45 |
|
46 static OneKDC kdc; |
|
47 static String clazz = "sun.security.krb5.internal.tools.Kinit"; |
|
48 static String hostsFileName = null; |
|
49 |
|
50 public static void main(String[] args) throws Exception { |
|
51 hostsFileName = System.getProperty("test.src", ".") + "/TestHosts"; |
|
52 System.setProperty("jdk.net.hosts.file", hostsFileName); |
|
53 |
|
54 kdc = new OneKDC(null); |
|
55 kdc.writeJAASConf(); |
|
56 kdc.setOption(KDC.Option.PREAUTH_REQUIRED, false); |
|
57 |
|
58 checkLogin(null, null, KDC.DEFAULT_LIFETIME, -1); |
|
59 checkLogin("1h", null, 3600, -1); |
|
60 checkLogin(null, "2d", KDC.DEFAULT_LIFETIME, 86400*2); |
|
61 checkLogin("1h", "10h", 3600, 36000); |
|
62 // When rtime is before till, use till as rtime |
|
63 checkLogin("10h", "1h", 36000, 36000); |
|
64 |
|
65 try { |
|
66 Class.forName(clazz); |
|
67 } catch (ClassNotFoundException cnfe) { |
|
68 return; |
|
69 } |
|
70 |
|
71 checkKinit(null, null, null, null, KDC.DEFAULT_LIFETIME, -1); |
|
72 checkKinit("1h", "10h", null, null, 3600, 36000); |
|
73 checkKinit(null, null, "30m", "5h", 1800, 18000); |
|
74 checkKinit("1h", "10h", "30m", "5h", 1800, 18000); |
|
75 |
|
76 checkKinitRenew(); |
|
77 } |
|
78 |
|
79 static int count = 0; |
|
80 |
|
81 static void checkKinit( |
|
82 String s1, // ticket_lifetime in krb5.conf, null if none |
|
83 String s2, // renew_lifetime in krb5.conf, null if none |
|
84 String c1, // -l on kinit, null if none |
|
85 String c2, // -r on kinit, null if none |
|
86 int t1, int t2 // expected lifetimes, -1 of unexpected |
|
87 ) throws Exception { |
|
88 KDC.saveConfig(OneKDC.KRB5_CONF, kdc, |
|
89 s1 != null ? ("ticket_lifetime = " + s1) : "", |
|
90 s2 != null ? ("renew_lifetime = " + s2) : ""); |
|
91 Proc p = Proc.create(clazz); |
|
92 if (c1 != null) { |
|
93 p.args("-l", c1); |
|
94 } |
|
95 if (c2 != null) { |
|
96 p.args("-r", c2); |
|
97 } |
|
98 count++; |
|
99 p.args(OneKDC.USER, new String(OneKDC.PASS)) |
|
100 .inheritIO() |
|
101 .prop("jdk.net.hosts.file", hostsFileName) |
|
102 .prop("java.security.krb5.conf", OneKDC.KRB5_CONF) |
|
103 .env("KRB5CCNAME", "ccache" + count) |
|
104 .start(); |
|
105 if (p.waitFor() != 0) { |
|
106 throw new Exception(); |
|
107 } |
|
108 FileCredentialsCache fcc = |
|
109 FileCredentialsCache.acquireInstance(null, "ccache" + count); |
|
110 Credentials cred = fcc.getDefaultCreds(); |
|
111 checkRough(cred.getEndTime().toDate(), t1); |
|
112 if (cred.getRenewTill() == null) { |
|
113 checkRough(null, t2); |
|
114 } else { |
|
115 checkRough(cred.getRenewTill().toDate(), t2); |
|
116 } |
|
117 } |
|
118 |
|
119 static void checkKinitRenew() throws Exception { |
|
120 |
|
121 Proc p = Proc.create(clazz) |
|
122 .args("-R") |
|
123 .inheritIO() |
|
124 .prop("jdk.net.hosts.file", hostsFileName) |
|
125 .prop("java.security.krb5.conf", OneKDC.KRB5_CONF) |
|
126 .env("KRB5CCNAME", "ccache" + count) |
|
127 .start(); |
|
128 if (p.waitFor() != 0) { |
|
129 throw new Exception(); |
|
130 } |
|
131 } |
|
132 |
|
133 static void checkLogin( |
|
134 String s1, // ticket_lifetime in krb5.conf, null if none |
|
135 String s2, // renew_lifetime in krb5.conf, null if none |
|
136 int t1, int t2 // expected lifetimes, -1 of unexpected |
|
137 ) throws Exception { |
|
138 KDC.saveConfig(OneKDC.KRB5_CONF, kdc, |
|
139 s1 != null ? ("ticket_lifetime = " + s1) : "", |
|
140 s2 != null ? ("renew_lifetime = " + s2) : ""); |
|
141 Config.refresh(); |
|
142 |
|
143 Context c; |
|
144 c = Context.fromJAAS("client"); |
|
145 |
|
146 Set<KerberosTicket> tickets = |
|
147 c.s().getPrivateCredentials(KerberosTicket.class); |
|
148 if (tickets.size() != 1) { |
|
149 throw new Exception(); |
|
150 } |
|
151 KerberosTicket ticket = tickets.iterator().next(); |
|
152 |
|
153 checkRough(ticket.getEndTime(), t1); |
|
154 checkRough(ticket.getRenewTill(), t2); |
|
155 } |
|
156 |
|
157 static void checkRough(Date t, int duration) throws Exception { |
|
158 Date now = new Date(); |
|
159 if (t == null && duration == -1) { |
|
160 return; |
|
161 } |
|
162 long change = (t.getTime() - System.currentTimeMillis()) / 1000; |
|
163 if (change > duration + 20 || change < duration - 20) { |
|
164 throw new Exception(t + " is not " + duration); |
|
165 } |
|
166 } |
|
167 } |