1
/*
2
 * Copyright (c) 2015, Oracle and/or its affiliates. All rights reserved.
3
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
4
 *
5
 * This code is free software; you can redistribute it and/or modify it
6
 * under the terms of the GNU General Public License version 2 only, as
7
 * published by the Free Software Foundation.
8
 *
9
 * This code is distributed in the hope that it will be useful, but WITHOUT
10
 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
11
 * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
12
 * version 2 for more details (a copy is included in the LICENSE file that
13
 * accompanied this code).
14
 *
15
 * You should have received a copy of the GNU General Public License version
16
 * 2 along with this work; if not, write to the Free Software Foundation,
17
 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
18
 *
19
 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
20
 * or visit www.oracle.com if you need additional information or have any
21
 * questions.
22
 */
23

24
import java.nio.file.Files;
25
import java.nio.file.Paths;
26
import java.time.Instant;
27
import java.util.Arrays;
28
import java.util.HashMap;
29
import java.util.Map;
30
import java.util.Set;
31
import javax.security.auth.RefreshFailedException;
32
import javax.security.auth.Subject;
33
import javax.security.auth.kerberos.KerberosTicket;
34
import javax.security.auth.login.LoginContext;
35

36
/*
37
 * @test
38
 * @bug 6857795 8075299
39
 * @summary Checks Kerberos ticket properties
40
 * @run main/othervm -Dsun.net.spi.nameservice.provider.1=ns,mock KrbTicket
41
 */
42
public class KrbTicket {
43

44
    private static final String REALM = "TEST.REALM";
45
    private static final String HOST = "localhost";
46
    private static final String USER = "TESTER";
47
    private static final String USER_PRINCIPAL = USER + "@" + REALM;
48
    private static final String PASSWORD = "password";
49
    private static final String KRBTGT_PRINCIPAL = "krbtgt/" + REALM;
50
    private static final String KRB5_CONF_FILENAME = "krb5.conf";
51
    private static final String JAAS_CONF = "jaas.conf";
52
    private static final long TICKET_LIFTETIME = 5 * 60 * 1000; // 5 mins
53

54
    public static void main(String[] args) throws Exception {
55
        // define principals
56
        Map<String, String> principals = new HashMap<>();
57
        principals.put(USER_PRINCIPAL, PASSWORD);
58
        principals.put(KRBTGT_PRINCIPAL, null);
59

60
        System.setProperty("java.security.krb5.conf", KRB5_CONF_FILENAME);
61

62
        // start a local KDC instance
63
        KDC kdc = KDC.startKDC(HOST, null, REALM, principals, null, null);
64
        KDC.saveConfig(KRB5_CONF_FILENAME, kdc,
65
                "forwardable = true", "proxiable = true");
66

67
        // create JAAS config
68
        Files.write(Paths.get(JAAS_CONF), Arrays.asList(
69
                "Client {",
70
                "    com.sun.security.auth.module.Krb5LoginModule required;",
71
                "};"
72
        ));
73
        System.setProperty("java.security.auth.login.config", JAAS_CONF);
74
        System.setProperty("javax.security.auth.useSubjectCredsOnly", "false");
75

76
        long startTime = Instant.now().getEpochSecond() * 1000;
77

78
        LoginContext lc = new LoginContext("Client",
79
                new Helper.UserPasswordHandler(USER, PASSWORD));
80
        lc.login();
81

82
        Subject subject = lc.getSubject();
83
        System.out.println("subject: " + subject);
84

85
        Set creds = subject.getPrivateCredentials(
86
                KerberosTicket.class);
87

88
        if (creds.size() > 1) {
89
            throw new RuntimeException("Multiple credintials found");
90
        }
91

92
        Object o = creds.iterator().next();
93
        if (!(o instanceof KerberosTicket)) {
94
            throw new RuntimeException("Instance of KerberosTicket expected");
95
        }
96
        KerberosTicket krbTkt = (KerberosTicket) o;
97

98
        System.out.println("forwardable = " + krbTkt.isForwardable());
99
        System.out.println("proxiable   = " + krbTkt.isProxiable());
100
        System.out.println("renewable   = " + krbTkt.isRenewable());
101
        System.out.println("current     = " + krbTkt.isCurrent());
102

103
        if (!krbTkt.isForwardable()) {
104
            throw new RuntimeException("Forwardable ticket expected");
105
        }
106

107
        if (!krbTkt.isProxiable()) {
108
            throw new RuntimeException("Proxiable ticket expected");
109
        }
110

111
        if (!krbTkt.isCurrent()) {
112
            throw new RuntimeException("Ticket is not current");
113
        }
114

115
        if (krbTkt.isRenewable()) {
116
            throw new RuntimeException("Not renewable ticket expected");
117
        }
118
        try {
119
            krbTkt.refresh();
120
            throw new RuntimeException(
121
                    "Expected RefreshFailedException not thrown");
122
        } catch(RefreshFailedException e) {
123
            System.out.println("Expected exception: " + e);
124
        }
125

126
        if (!checkTime(krbTkt, startTime)) {
127
            throw new RuntimeException("Wrong ticket life time");
128
        }
129

130
        krbTkt.destroy();
131
        if (!krbTkt.isDestroyed()) {
132
            throw new RuntimeException("Ticket not destroyed");
133
        }
134

135
        System.out.println("Test passed");
136
    }
137

138
    private static boolean checkTime(KerberosTicket krbTkt, long startTime) {
139
        long ticketEndTime = krbTkt.getEndTime().getTime();
140
        long roughLifeTime = ticketEndTime - startTime;
141
        System.out.println("start time            = " + startTime);
142
        System.out.println("end time              = " + ticketEndTime);
143
        System.out.println("rough life time       = " + roughLifeTime);
144
        return roughLifeTime >= TICKET_LIFTETIME;
145
    }
146
}
147

148