1 /*
2  * Copyright (c) 2015, 2018, Oracle and/or its affiliates. All rights reserved.
3  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
4  *
5  * This code is free software; you can redistribute it and/or modify it
6  * under the terms of the GNU General Public License version 2 only, as
7  * published by the Free Software Foundation.
8  *
9  * This code is distributed in the hope that it will be useful, but WITHOUT
10  * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
11  * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
12  * version 2 for more details (a copy is included in the LICENSE file that
13  * accompanied this code).
14  *
15  * You should have received a copy of the GNU General Public License version
16  * 2 along with this work; if not, write to the Free Software Foundation,
17  * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
18  *
19  * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
20  * or visit www.oracle.com if you need additional information or have any
21  * questions.
22  */
23 
24 /*
25  * @test
26  * @bug 8131051 8194486 8187218
27  * @summary KDC might issue a renewable ticket even if not requested
28  * @library /test/lib
29  * @compile -XDignore.symbol.file LongLife.java
30  * @run main jdk.test.lib.FileInstaller TestHosts TestHosts
31  * @run main/othervm -Djdk.net.hosts.file=TestHosts LongLife
32  */
33 
34 import org.ietf.jgss.GSSCredential;
35 import org.ietf.jgss.GSSManager;
36 import sun.security.krb5.Config;
37 import javax.security.auth.Subject;
38 import javax.security.auth.kerberos.KerberosTicket;
39 import java.security.PrivilegedExceptionAction;
40 
41 public class LongLife {
42 
main(String[] args)43     public static void main(String[] args) throws Exception {
44 
45         OneKDC kdc = new OneKDC(null).writeJAASConf();
46 
47         test(kdc, "10h", false, 36000, false);
48         test(kdc, "2d", false, KDC.DEFAULT_LIFETIME, true);
49         test(kdc, "2d", true, 2 * 24 * 3600, false);
50 
51         // 8187218: getRemainingLifetime() is negative if lifetime
52         // is longer than 30 days.
53         test(kdc, "30d", true, 30 * 24 * 3600, false);
54     }
55 
test( KDC kdc, String ticketLifetime, boolean forceTill, int expectedLifeTime, boolean expectedRenewable)56     static void test(
57             KDC kdc,
58             String ticketLifetime,
59             boolean forceTill, // if true, KDC will not try RENEWABLE
60             int expectedLifeTime,
61             boolean expectedRenewable) throws Exception {
62 
63         KDC.saveConfig(OneKDC.KRB5_CONF, kdc,
64                 "ticket_lifetime = " + ticketLifetime);
65         Config.refresh();
66 
67         if (forceTill) {
68             System.setProperty("test.kdc.force.till", "");
69         } else {
70             System.clearProperty("test.kdc.force.till");
71         }
72 
73         Context c = Context.fromJAAS("client");
74 
75         GSSCredential cred = Subject.doAs(c.s(),
76                 (PrivilegedExceptionAction<GSSCredential>)
77                 ()-> {
78                     GSSManager m = GSSManager.getInstance();
79                     return m.createCredential(GSSCredential.INITIATE_ONLY);
80                 });
81 
82         KerberosTicket tgt = c.s().getPrivateCredentials(KerberosTicket.class)
83                 .iterator().next();
84         System.out.println(tgt);
85 
86         int actualLifeTime = cred.getRemainingLifetime();
87         if (actualLifeTime < expectedLifeTime - 60
88                 || actualLifeTime > expectedLifeTime + 60) {
89             throw new Exception("actualLifeTime is " + actualLifeTime);
90         }
91 
92         if (tgt.isRenewable() != expectedRenewable) {
93             throw new Exception("TGT's RENEWABLE flag is " + tgt.isRenewable());
94         }
95     }
96 }
97