8075301: Tests for sun.security.krb5.principal system property
authorweijun
Tue, 30 Jun 2015 22:32:03 +0800
changeset 31429 ce4193650b40
parent 31428 3656ffdfb040
child 31449 6b42ca2b2dca
8075301: Tests for sun.security.krb5.principal system property Reviewed-by: weijun Contributed-by: Sibabrata Sahoo <sibabrata.sahoo@oracle.com>
jdk/test/sun/security/krb5/auto/KDC.java
jdk/test/sun/security/krb5/auto/UnboundSSL.java
jdk/test/sun/security/krb5/auto/UnboundSSLMultipleKeys.java
jdk/test/sun/security/krb5/auto/UnboundSSLPrincipalProperty.java
jdk/test/sun/security/krb5/auto/UnboundSSLUtils.java
jdk/test/sun/security/krb5/auto/principalProperty/PrincipalSystemPropTest.java
jdk/test/sun/security/krb5/auto/principalProperty/jaas.conf
jdk/test/sun/security/krb5/auto/principalProperty/principalSystemPropTest.policy
--- a/jdk/test/sun/security/krb5/auto/KDC.java	Tue Jun 30 16:10:27 2015 +0200
+++ b/jdk/test/sun/security/krb5/auto/KDC.java	Tue Jun 30 22:32:03 2015 +0800
@@ -30,6 +30,7 @@
 import java.security.SecureRandom;
 import java.util.*;
 import java.util.concurrent.*;
+
 import sun.net.spi.nameservice.NameService;
 import sun.net.spi.nameservice.NameServiceDescriptor;
 import sun.security.krb5.*;
@@ -155,6 +156,8 @@
     DatagramSocket u1 = null;
     ServerSocket t1 = null;
 
+    public static enum KtabMode { APPEND, EXISTING };
+
     /**
      * Option names, to be expanded forever.
      */
@@ -1316,6 +1319,68 @@
             // OK
         }
     }
+
+    public static void startKDC(final String host, final String krbConfFileName,
+            final String realm, final Map<String, String> principals,
+            final String ktab, final KtabMode mode) {
+
+        try {
+            KDC kdc = KDC.create(realm, host, 0, true);
+            kdc.setOption(KDC.Option.PREAUTH_REQUIRED, Boolean.FALSE);
+            KDC.saveConfig(krbConfFileName, kdc);
+
+            // Add principals
+            if (principals != null) {
+                principals.forEach((name, password) -> {
+                    if (password == null || password.isEmpty()) {
+                        System.out.println(String.format(
+                                "KDC:add a principal '%s' with a random " +
+                                        "password", name));
+                        kdc.addPrincipalRandKey(name);
+                    } else {
+                        System.out.println(String.format(
+                                "KDC:add a principal '%s' with '%s' password",
+                                name, password));
+                        kdc.addPrincipal(name, password.toCharArray());
+                    }
+                });
+            }
+
+            // Create or append keys to existing keytab file
+            if (ktab != null) {
+                File ktabFile = new File(ktab);
+                switch(mode) {
+                    case APPEND:
+                        if (ktabFile.exists()) {
+                            System.out.println(String.format(
+                                    "KDC:append keys to an exising keytab "
+                                    + "file %s", ktab));
+                            kdc.appendKtab(ktab);
+                        } else {
+                            System.out.println(String.format(
+                                    "KDC:create a new keytab file %s", ktab));
+                            kdc.writeKtab(ktab);
+                        }
+                        break;
+                    case EXISTING:
+                        System.out.println(String.format(
+                                "KDC:use an existing keytab file %s", ktab));
+                        break;
+                    default:
+                        throw new RuntimeException(String.format(
+                                "KDC:unsupported keytab mode: %s", mode));
+                }
+            }
+
+            System.out.println(String.format(
+                    "KDC: started on %s:%s with '%s' realm",
+                    host, kdc.getPort(), realm));
+        } catch (Exception e) {
+            throw new RuntimeException("KDC: unexpected exception", e);
+        }
+
+    }
+
     /**
      * Helper class to encapsulate a job in a KDC.
      */
--- a/jdk/test/sun/security/krb5/auto/UnboundSSL.java	Tue Jun 30 16:10:27 2015 +0200
+++ b/jdk/test/sun/security/krb5/auto/UnboundSSL.java	Tue Jun 30 22:32:03 2015 +0800
@@ -26,6 +26,7 @@
 import java.security.PrivilegedActionException;
 import java.util.HashMap;
 import java.util.Map;
+
 import javax.security.auth.login.LoginException;
 
 /*
@@ -74,8 +75,9 @@
                UnboundSSLUtils.KRB5_CONF_FILENAME);
 
         // start a local KDC instance
-        UnboundSSLUtils.startKDC(UnboundSSLUtils.REALM, principals,
-                UnboundSSLUtils.KTAB_FILENAME, UnboundSSLUtils.KtabMode.APPEND);
+        KDC.startKDC(UnboundSSLUtils.HOST, UnboundSSLUtils.KRB5_CONF_FILENAME,
+                UnboundSSLUtils.REALM, principals,
+                UnboundSSLUtils.KTAB_FILENAME, KDC.KtabMode.APPEND);
 
         System.setProperty("java.security.auth.login.config",
                 UnboundSSLUtils.TEST_SRC + UnboundSSLUtils.FS + jaacConfigFile);
--- a/jdk/test/sun/security/krb5/auto/UnboundSSLMultipleKeys.java	Tue Jun 30 16:10:27 2015 +0200
+++ b/jdk/test/sun/security/krb5/auto/UnboundSSLMultipleKeys.java	Tue Jun 30 22:32:03 2015 +0800
@@ -26,6 +26,7 @@
 import java.security.PrivilegedActionException;
 import java.util.HashMap;
 import java.util.Map;
+
 import javax.security.auth.login.LoginException;
 
 /*
@@ -81,8 +82,9 @@
          * principal, but password for only one key is the same with the record
          * for service1 principal in KDC.
          */
-        UnboundSSLUtils.startKDC(UnboundSSLUtils.REALM, principals,
-                UnboundSSLUtils.KTAB_FILENAME, UnboundSSLUtils.KtabMode.APPEND);
+        KDC.startKDC(UnboundSSLUtils.HOST, UnboundSSLUtils.KRB5_CONF_FILENAME,
+                UnboundSSLUtils.REALM, principals,
+                UnboundSSLUtils.KTAB_FILENAME, KDC.KtabMode.APPEND);
 
         System.setProperty("java.security.auth.login.config",
                 UnboundSSLUtils.TEST_SRC + UnboundSSLUtils.FS + jaacConfigFile);
--- a/jdk/test/sun/security/krb5/auto/UnboundSSLPrincipalProperty.java	Tue Jun 30 16:10:27 2015 +0200
+++ b/jdk/test/sun/security/krb5/auto/UnboundSSLPrincipalProperty.java	Tue Jun 30 22:32:03 2015 +0800
@@ -70,8 +70,9 @@
                 UnboundSSLUtils.KRB5_CONF_FILENAME);
 
         // start a local KDC instance
-        UnboundSSLUtils.startKDC(UnboundSSLUtils.REALM, principals,
-                UnboundSSLUtils.KTAB_FILENAME, UnboundSSLUtils.KtabMode.APPEND);
+        KDC.startKDC(UnboundSSLUtils.HOST, UnboundSSLUtils.KRB5_CONF_FILENAME,
+                UnboundSSLUtils.REALM, principals,
+                UnboundSSLUtils.KTAB_FILENAME, KDC.KtabMode.APPEND);
 
         System.setProperty("java.security.auth.login.config",
                 UnboundSSLUtils.TEST_SRC + UnboundSSLUtils.FS + jaacConfigFile);
--- a/jdk/test/sun/security/krb5/auto/UnboundSSLUtils.java	Tue Jun 30 16:10:27 2015 +0200
+++ b/jdk/test/sun/security/krb5/auto/UnboundSSLUtils.java	Tue Jun 30 22:32:03 2015 +0800
@@ -50,8 +50,6 @@
  */
 class UnboundSSLUtils {
 
-    static enum KtabMode { APPEND, EXISTING };
-
     static final String KTAB_FILENAME = "krb5.keytab.data";
     static final String HOST = "localhost";
     static final String REALM = "TEST.REALM";
@@ -87,65 +85,6 @@
         });
     }
 
-    /*
-     * Start a KDC server:
-     *   - create a KDC instance
-     *   - create Kerberos principals
-     *   - save Kerberos configuration
-     *   - save keys to keytab file
-     *   - no pre-auth required
-     */
-    static void startKDC(String realm, Map<String, String> principals,
-            String ktab, KtabMode mode) {
-        try {
-            KDC kdc = KDC.create(realm, HOST, 0, true);
-            kdc.setOption(KDC.Option.PREAUTH_REQUIRED, Boolean.FALSE);
-            if (principals != null) {
-                for (Map.Entry<String, String> entry : principals.entrySet()) {
-                    String name = entry.getKey();
-                    String password = entry.getValue();
-                    if (password == null || password.isEmpty()) {
-                        System.out.println("KDC: add a principal '" + name +
-                                "' with a random password");
-                        kdc.addPrincipalRandKey(name);
-                    } else {
-                        System.out.println("KDC: add a principal '" + name +
-                                "' with '" + password + "' password");
-                        kdc.addPrincipal(name, password.toCharArray());
-                    }
-                }
-            }
-
-            KDC.saveConfig(KRB5_CONF_FILENAME, kdc);
-
-            if (ktab != null) {
-                File ktabFile = new File(ktab);
-                if (mode == KtabMode.APPEND) {
-                    if (ktabFile.exists()) {
-                        System.out.println("KDC: append keys to an exising " +
-                                "keytab file " + ktab);
-                        kdc.appendKtab(ktab);
-                    } else {
-                        System.out.println("KDC: create a new keytab file " +
-                                ktab);
-                        kdc.writeKtab(ktab);
-                    }
-                } else if (mode == KtabMode.EXISTING) {
-                    System.out.println("KDC: use an existing keytab file "
-                            + ktab);
-                } else {
-                    throw new RuntimeException("KDC: unsupported keytab mode: "
-                            + mode);
-                }
-            }
-
-            System.out.println("KDC: started on " + HOST + ":" + kdc.getPort()
-                    + " with '" + realm + "' realm");
-        } catch (Exception e) {
-            throw new RuntimeException("KDC: unexpected exception", e);
-        }
-    }
-
 }
 
 class SSLClient {
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/jdk/test/sun/security/krb5/auto/principalProperty/PrincipalSystemPropTest.java	Tue Jun 30 22:32:03 2015 +0800
@@ -0,0 +1,155 @@
+/*
+ * Copyright (c) 2015, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+/*
+ * @test
+ * @bug 8075301
+ * @library /sun/security/krb5/auto
+ * @summary New test for sun.security.krb5.principal system property.
+ * The principal can set using the system property sun.security.krb5.principal.
+ * This property is checked during login. If this property is not set,
+ * then the principal name from the configuration is used.
+ * @run main/othervm/java.security.policy=principalSystemPropTest.policy
+ * PrincipalSystemPropTest
+ */
+
+import java.io.File;
+import java.util.HashMap;
+import java.util.ArrayList;
+import java.util.List;
+import java.util.Map;
+import javax.security.auth.login.LoginException;
+import javax.security.auth.login.LoginContext;
+import com.sun.security.auth.callback.TextCallbackHandler;
+
+public class PrincipalSystemPropTest {
+
+    private static final boolean PASS = Boolean.TRUE;
+    private static final boolean FAIL = Boolean.FALSE;
+    private static final String VALID_PRINCIPAL_JAAS_ENTRY =
+            "ValidPrincipalSystemPropTest";
+    private static final String INVALID_PRINCIPAL_JAAS_ENTRY =
+            "InvalidPrincipalSystemPropTest";
+    private static final String NO_PRINCIPAL_JAAS_ENTRY =
+            "NoPrincipalSystemPropTest";
+    private static final String SAME_PRINCIPAL_JAAS_ENTRY =
+            "SelfPrincipalSystemPropTest";
+    private static final String HOST = "localhost";
+    private static final String KTAB_FILENAME = "krb5.keytab.data";
+    private static final String REALM = "TEST.REALM";
+    private static final String TEST_SRC = System.getProperty("test.src", ".");
+    private static final String USER = "USER";
+    private static final String AVAILABLE_USER = "AVAILABLE";
+    private static final String USER_PASSWORD = "password";
+    private static final String FS = System.getProperty("file.separator");
+    private static final String KRB5_CONF_FILENAME = "krb5.conf";
+    private static final String JAAS_CONF_FILENAME = "jaas.conf";
+    private static final String KRBTGT_PRINCIPAL = "krbtgt/" + REALM;
+    private static final String USER_PRINCIPAL = USER + "@" + REALM;
+    private static final String AVAILABLE_USER_PRINCIPAL =
+            AVAILABLE_USER + "@" + REALM;
+
+    public static void main(String[] args) throws Exception {
+
+        setupTest();
+
+        // Expected result, Jaas Config Entry, Login Principal Expected,
+        // Principal passed through System property
+        runTest(PASS, VALID_PRINCIPAL_JAAS_ENTRY,
+                USER_PRINCIPAL, "USER@TEST.REALM");
+        runTest(PASS, VALID_PRINCIPAL_JAAS_ENTRY,
+                AVAILABLE_USER_PRINCIPAL,  null);
+        runTest(PASS, INVALID_PRINCIPAL_JAAS_ENTRY,
+                USER_PRINCIPAL, "USER@TEST.REALM");
+        runTest(FAIL, INVALID_PRINCIPAL_JAAS_ENTRY, null,  null);
+        runTest(PASS, NO_PRINCIPAL_JAAS_ENTRY,
+                USER_PRINCIPAL, "USER@TEST.REALM");
+        runTest(FAIL, NO_PRINCIPAL_JAAS_ENTRY, null, null);
+        runTest(PASS, SAME_PRINCIPAL_JAAS_ENTRY,
+                USER_PRINCIPAL, "USER@TEST.REALM");
+
+    }
+
+    private static void setupTest() {
+
+        System.setProperty("java.security.krb5.conf", KRB5_CONF_FILENAME);
+        System.setProperty("java.security.auth.login.config",
+                TEST_SRC + FS + JAAS_CONF_FILENAME);
+
+        Map<String, String> principals = new HashMap<>();
+        principals.put(USER_PRINCIPAL, USER_PASSWORD);
+        principals.put(AVAILABLE_USER_PRINCIPAL, USER_PASSWORD);
+        principals.put(KRBTGT_PRINCIPAL, null);
+        KDC.startKDC(HOST, KRB5_CONF_FILENAME, REALM, principals,
+                KTAB_FILENAME, KDC.KtabMode.APPEND);
+
+    }
+
+    private static void runTest(boolean expected, String jaasConfigEntry,
+            String expectedLoginUser, String loginUserBySysProp) {
+
+        if(loginUserBySysProp != null) {
+            System.setProperty("sun.security.krb5.principal",
+                    loginUserBySysProp);
+        } else {
+            System.clearProperty("sun.security.krb5.principal");
+        }
+
+        try {
+            LoginContext lc = new LoginContext(jaasConfigEntry,
+                    new TextCallbackHandler());
+            lc.login();
+            System.out.println(String.format(
+                    "Authentication completed with Subject '%s' ",
+                    lc.getSubject()));
+
+            if (!expected) {
+                throw new RuntimeException(
+                        "TEST FAILED - JAAS login success isn't expected");
+            }
+            if(expectedLoginUser != null && !lc.getSubject().getPrincipals()
+                    .stream().map(p -> p.getName()).filter(
+                            expectedLoginUser :: equals).findFirst()
+                            .isPresent()) {
+                throw new RuntimeException(String.format(
+                        "TEST FAILED - Login principal is not matched "
+                        + "to expected principal '%s'.", expectedLoginUser));
+            }
+            System.out.println(
+                    "TEST PASSED - JAAS login success is expected.");
+        } catch (LoginException ie) {
+            System.out.println(String.format(
+                    "Authentication failed with exception: %s",
+                    ie.getMessage()));
+            if (expected) {
+                System.out.println(
+                        "TEST FAILED - JAAS login failure isn't expected");
+                throw new RuntimeException(ie);
+            }
+            System.out.println(
+                    "TEST PASSED - JAAS login failure is expected.");
+        }
+
+    }
+
+}
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/jdk/test/sun/security/krb5/auto/principalProperty/jaas.conf	Tue Jun 30 22:32:03 2015 +0800
@@ -0,0 +1,34 @@
+NoPrincipalSystemPropTest {
+	com.sun.security.auth.module.Krb5LoginModule required 
+	useKeyTab = true
+  	keyTab = krb5.keytab.data
+  	doNotPrompt =true
+  	debug=true;
+};
+
+InvalidPrincipalSystemPropTest {
+  	com.sun.security.auth.module.Krb5LoginModule required 
+  	principal="UNAVAILABLE@TEST.REALM"
+  	useKeyTab = true
+  	keyTab = krb5.keytab.data
+  	doNotPrompt =true
+  	debug=true;
+};
+
+ValidPrincipalSystemPropTest {
+  	com.sun.security.auth.module.Krb5LoginModule required 
+  	principal="AVAILABLE@TEST.REALM"
+  	useKeyTab = true
+  	keyTab = krb5.keytab.data
+  	doNotPrompt =true
+  	debug=true;
+};
+
+SelfPrincipalSystemPropTest {
+  	com.sun.security.auth.module.Krb5LoginModule required 
+  	principal="USER@TEST.REALM"
+  	useKeyTab = true
+  	keyTab = krb5.keytab.data
+  	doNotPrompt =true
+  	debug=true;
+};
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/jdk/test/sun/security/krb5/auto/principalProperty/principalSystemPropTest.policy	Tue Jun 30 22:32:03 2015 +0800
@@ -0,0 +1,21 @@
+grant {
+  	permission javax.security.auth.AuthPermission
+    	"createLoginContext.ValidPrincipalSystemPropTest";
+    	permission javax.security.auth.AuthPermission
+    	"createLoginContext.InvalidPrincipalSystemPropTest";
+    	permission javax.security.auth.AuthPermission
+    	"createLoginContext.NoPrincipalSystemPropTest";
+    	permission javax.security.auth.AuthPermission
+    	"createLoginContext.SelfPrincipalSystemPropTest";
+  	permission javax.security.auth.AuthPermission "doAs";
+  	permission javax.security.auth.AuthPermission "modifyPrincipals";
+  	permission javax.security.auth.AuthPermission "getSubject";
+  	permission java.util.PropertyPermission "*", "read,write";
+  	permission java.io.FilePermission "*", "read,write,delete";
+  	permission java.lang.RuntimePermission "accessDeclaredMembers";
+  	permission java.lang.reflect.ReflectPermission "suppressAccessChecks";
+  	permission java.lang.RuntimePermission "accessClassInPackage.*";
+  	permission java.net.SocketPermission "*:*", 
+  		"listen,resolve,accept,connect";
+}; 
+