jdk/test/sun/security/krb5/auto/Renew.java
author weijun
Mon, 13 Jul 2015 17:44:34 +0800
changeset 31643 abad00f2c027
child 36967 d041d2e80712
permissions -rw-r--r--
8058290: JAAS Krb5LoginModule has suspect ticket-renewal logic, relies on clockskew grace Reviewed-by: mullan

/*
 * Copyright (c) 2015, Oracle and/or its affiliates. All rights reserved.
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 *
 * This code is free software; you can redistribute it and/or modify it
 * under the terms of the GNU General Public License version 2 only, as
 * published by the Free Software Foundation.
 *
 * This code is distributed in the hope that it will be useful, but WITHOUT
 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
 * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
 * version 2 for more details (a copy is included in the LICENSE file that
 * accompanied this code).
 *
 * You should have received a copy of the GNU General Public License version
 * 2 along with this work; if not, write to the Free Software Foundation,
 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
 *
 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
 * or visit www.oracle.com if you need additional information or have any
 * questions.
 */

/*
 * @test
 * @bug 8058290
 * @summary JAAS Krb5LoginModule has suspect ticket-renewal logic,
 *          relies on clockskew grace
 * @modules java.base/sun.net.spi.nameservice
 *          java.base/sun.security.util
 *          java.security.jgss/sun.security.krb5
 *          java.security.jgss/sun.security.krb5.internal
 *          java.security.jgss/sun.security.krb5.internal.ccache
 *          java.security.jgss/sun.security.krb5.internal.crypto
 *          java.security.jgss/sun.security.krb5.internal.ktab
 * @compile -XDignore.symbol.file Renew.java
 * @run main/othervm Renew 1
 * @run main/othervm Renew 2
 * @run main/othervm Renew 3
 */

import sun.security.krb5.Config;

import java.nio.file.Files;
import java.nio.file.Paths;
import java.util.Arrays;
import java.util.Date;
import javax.security.auth.kerberos.KerberosTicket;

public class Renew {

    public static void main(String[] args) throws Exception {

        // Three test cases:
        // 1. renewTGT=false
        // 2. renewTGT=true with a short life time, renew will happen
        // 3. renewTGT=true with a long life time, renew won't happen
        int test = Integer.parseInt(args[0]);

        OneKDC k = new OneKDC(null);
        KDC.saveConfig(OneKDC.KRB5_CONF, k,
                "renew_lifetime = 1d",
                "ticket_lifetime = " + (test == 2? "10s": "8h"));
        Config.refresh();
        k.writeJAASConf();

        // KDC would save ccache in a file
        System.setProperty("test.kdc.save.ccache", "cache.here");

        Files.write(Paths.get(OneKDC.JAAS_CONF), Arrays.asList(
                "first {",
                "   com.sun.security.auth.module.Krb5LoginModule required;",
                "};",
                "second {",
                "   com.sun.security.auth.module.Krb5LoginModule required",
                "   doNotPrompt=true",
                "   renewTGT=" + (test != 1),
                "   useTicketCache=true",
                "   ticketCache=cache.here;",
                "};"
        ));

        Context c;

        // The first login uses username and password
        c = Context.fromUserPass(OneKDC.USER, OneKDC.PASS, false);
        Date d1 = c.s().getPrivateCredentials(KerberosTicket.class).iterator().next().getAuthTime();

        // 6s is longer than half of 10s
        Thread.sleep(6000);

        // The second login uses the cache
        c = Context.fromJAAS("second");
        Date d2 = c.s().getPrivateCredentials(KerberosTicket.class).iterator().next().getAuthTime();

        if (test == 2) {
            if (d1.equals(d2)) {
                throw new Exception("Ticket not renewed");
            }
        } else {
            if (!d1.equals(d2)) {
                throw new Exception("Ticket renewed");
            }
        }
    }
}