1 /* |
|
2 * Copyright (c) 2009, 2012, Oracle and/or its affiliates. All rights reserved. |
|
3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. |
|
4 * |
|
5 * This code is free software; you can redistribute it and/or modify it |
|
6 * under the terms of the GNU General Public License version 2 only, as |
|
7 * published by the Free Software Foundation. |
|
8 * |
|
9 * This code is distributed in the hope that it will be useful, but WITHOUT |
|
10 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or |
|
11 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License |
|
12 * version 2 for more details (a copy is included in the LICENSE file that |
|
13 * accompanied this code). |
|
14 * |
|
15 * You should have received a copy of the GNU General Public License version |
|
16 * 2 along with this work; if not, write to the Free Software Foundation, |
|
17 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. |
|
18 * |
|
19 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA |
|
20 * or visit www.oracle.com if you need additional information or have any |
|
21 * questions. |
|
22 */ |
|
23 |
|
24 import java.io.*; |
|
25 import java.net.BindException; |
|
26 import java.net.DatagramPacket; |
|
27 import java.net.DatagramSocket; |
|
28 import java.net.InetAddress; |
|
29 import java.util.regex.Matcher; |
|
30 import java.util.regex.Pattern; |
|
31 import javax.security.auth.login.LoginException; |
|
32 import sun.security.krb5.Asn1Exception; |
|
33 import sun.security.krb5.Config; |
|
34 |
|
35 public class BadKdc { |
|
36 |
|
37 // Matches the krb5 debug output: |
|
38 // >>> KDCCommunication: kdc=kdc.rabbit.hole UDP:14319, timeout=2000,... |
|
39 // ^ kdc# ^ timeout |
|
40 static final Pattern re = Pattern.compile( |
|
41 ">>> KDCCommunication: kdc=kdc.rabbit.hole UDP:(\\d)...., " + |
|
42 "timeout=(\\d+),"); |
|
43 |
|
44 // Ratio for timeout values of all timeout tests. Not final so that |
|
45 // each test can choose their own. |
|
46 static float ratio = 2f; |
|
47 |
|
48 static void setRatio(float ratio) { |
|
49 BadKdc.ratio = ratio; |
|
50 } |
|
51 |
|
52 static float getRatio() { |
|
53 return ratio; |
|
54 } |
|
55 |
|
56 // Gets real timeout value. This method is called when writing krb5.conf |
|
57 static int toReal(int from) { |
|
58 return (int)(from * ratio + .5); |
|
59 } |
|
60 |
|
61 // De-ratio a millisecond value to second |
|
62 static int toSymbolicSec(int from) { |
|
63 return (int)(from / ratio / 1000f + 0.5); |
|
64 } |
|
65 |
|
66 /* |
|
67 * There are several cases this test fails: |
|
68 * |
|
69 * 1. The random selected port is used by another process. No good way to |
|
70 * prevent this happening, coz krb5.conf must be written before KDC starts. |
|
71 * There are two different outcomes: |
|
72 * |
|
73 * a. Cannot start the KDC. A BindException thrown. |
|
74 * b. When trying to access a non-existing KDC, a response is received! |
|
75 * Most likely a Asn1Exception thrown |
|
76 * |
|
77 * 2. Even if a KDC is started, and more than 20 seconds pass by, a timeout |
|
78 * can still happens for the first UDP request. In fact, the KDC did not |
|
79 * received it at all. This happens on almost all platforms, especially |
|
80 * solaris-i586 and solaris-x64. |
|
81 * |
|
82 * To avoid them: |
|
83 * |
|
84 * 1. Catch those exceptions and ignore |
|
85 * |
|
86 * 2. a. Make the timeout longer? useless |
|
87 * b. Read the output carefully, if there is a timeout, it's OK. |
|
88 * Just make sure the retries times and KDCs are correct. |
|
89 * This is tough. |
|
90 * c. Feed the KDC a UDP packet first. The current "solution". |
|
91 */ |
|
92 public static void go(String... expected) |
|
93 throws Exception { |
|
94 try { |
|
95 go0(expected); |
|
96 } catch (BindException be) { |
|
97 System.out.println("The random port is used by another process"); |
|
98 } catch (LoginException le) { |
|
99 Throwable cause = le.getCause(); |
|
100 if (cause instanceof Asn1Exception) { |
|
101 System.out.println("Bad packet possibly from another process"); |
|
102 return; |
|
103 } |
|
104 throw le; |
|
105 } |
|
106 } |
|
107 |
|
108 public static void go0(String... expected) |
|
109 throws Exception { |
|
110 System.setProperty("sun.security.krb5.debug", "true"); |
|
111 |
|
112 // Idle UDP sockets will trigger a SocketTimeoutException, without it, |
|
113 // a PortUnreachableException will be thrown. |
|
114 DatagramSocket d1 = null, d2 = null, d3 = null; |
|
115 |
|
116 // Make sure KDCs' ports starts with 1 and 2 and 3, |
|
117 // useful for checking debug output. |
|
118 int p1 = 10000 + new java.util.Random().nextInt(10000); |
|
119 int p2 = 20000 + new java.util.Random().nextInt(10000); |
|
120 int p3 = 30000 + new java.util.Random().nextInt(10000); |
|
121 |
|
122 FileWriter fw = new FileWriter("alternative-krb5.conf"); |
|
123 |
|
124 fw.write("[libdefaults]\n" + |
|
125 "default_realm = " + OneKDC.REALM + "\n" + |
|
126 "kdc_timeout = " + toReal(2000) + "\n"); |
|
127 fw.write("[realms]\n" + OneKDC.REALM + " = {\n" + |
|
128 "kdc = " + OneKDC.KDCHOST + ":" + p1 + "\n" + |
|
129 "kdc = " + OneKDC.KDCHOST + ":" + p2 + "\n" + |
|
130 "kdc = " + OneKDC.KDCHOST + ":" + p3 + "\n" + |
|
131 "}\n"); |
|
132 |
|
133 fw.close(); |
|
134 System.setProperty("java.security.krb5.conf", "alternative-krb5.conf"); |
|
135 Config.refresh(); |
|
136 |
|
137 // Turn on k3 only |
|
138 d1 = new DatagramSocket(p1); |
|
139 d2 = new DatagramSocket(p2); |
|
140 KDC k3 = on(p3); |
|
141 |
|
142 test(expected[0]); |
|
143 test(expected[1]); |
|
144 Config.refresh(); |
|
145 test(expected[2]); |
|
146 |
|
147 k3.terminate(); // shutdown k3 |
|
148 d3 = new DatagramSocket(p3); |
|
149 |
|
150 d2.close(); |
|
151 on(p2); // k2 is on |
|
152 |
|
153 test(expected[3]); |
|
154 d1.close(); |
|
155 on(p1); // k1 and k2 is on |
|
156 test(expected[4]); |
|
157 |
|
158 d3.close(); |
|
159 } |
|
160 |
|
161 private static KDC on(int p) throws Exception { |
|
162 KDC k = new KDC(OneKDC.REALM, OneKDC.KDCHOST, p, true); |
|
163 k.addPrincipal(OneKDC.USER, OneKDC.PASS); |
|
164 k.addPrincipalRandKey("krbtgt/" + OneKDC.REALM); |
|
165 // Feed a packet to newly started KDC to warm it up |
|
166 System.err.println("-------- IGNORE THIS ERROR MESSAGE --------"); |
|
167 new DatagramSocket().send( |
|
168 new DatagramPacket("Hello".getBytes(), 5, |
|
169 InetAddress.getByName(OneKDC.KDCHOST), p)); |
|
170 return k; |
|
171 } |
|
172 |
|
173 private static void test(String expected) throws Exception { |
|
174 ByteArrayOutputStream bo = new ByteArrayOutputStream(); |
|
175 System.out.println("----------------- TEST -----------------"); |
|
176 try { |
|
177 test0(bo, expected); |
|
178 } catch (Exception e) { |
|
179 System.out.println("----------------- ERROR -----------------"); |
|
180 System.out.println(new String(bo.toByteArray())); |
|
181 System.out.println("--------------- ERROR END ---------------"); |
|
182 throw e; |
|
183 } |
|
184 } |
|
185 |
|
186 /** |
|
187 * One round of test for max_retries and timeout. |
|
188 * @param expected the expected kdc# timeout kdc# timeout... |
|
189 */ |
|
190 private static void test0(ByteArrayOutputStream bo, String expected) |
|
191 throws Exception { |
|
192 PrintStream oldout = System.out; |
|
193 boolean failed = false; |
|
194 System.setOut(new PrintStream(bo)); |
|
195 try { |
|
196 Context.fromUserPass(OneKDC.USER, OneKDC.PASS, false); |
|
197 } catch (Exception e) { |
|
198 failed = true; |
|
199 } finally { |
|
200 System.setOut(oldout); |
|
201 } |
|
202 |
|
203 String[] lines = new String(bo.toByteArray()).split("\n"); |
|
204 StringBuilder sb = new StringBuilder(); |
|
205 for (String line: lines) { |
|
206 Matcher m = re.matcher(line); |
|
207 if (m.find()) { |
|
208 System.out.println(line); |
|
209 sb.append(m.group(1)) |
|
210 .append(toSymbolicSec(Integer.parseInt(m.group(2)))); |
|
211 } |
|
212 } |
|
213 if (failed) sb.append('-'); |
|
214 |
|
215 String output = sb.toString(); |
|
216 System.out.println("Expected: " + expected + ", actual " + output); |
|
217 if (!output.matches(expected)) { |
|
218 throw new Exception("Does not match"); |
|
219 } |
|
220 } |
|
221 } |
|