1 /* 2 * Copyright (c) 2009, 2018, Oracle and/or its affiliates. All rights reserved. 3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. 4 * 5 * This code is free software; you can redistribute it and/or modify it 6 * under the terms of the GNU General Public License version 2 only, as 7 * published by the Free Software Foundation. 8 * 9 * This code is distributed in the hope that it will be useful, but WITHOUT 10 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or 11 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License 12 * version 2 for more details (a copy is included in the LICENSE file that 13 * accompanied this code). 14 * 15 * You should have received a copy of the GNU General Public License version 16 * 2 along with this work; if not, write to the Free Software Foundation, 17 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. 18 * 19 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA 20 * or visit www.oracle.com if you need additional information or have any 21 * questions. 22 */ 23 24 /* 25 * @test 26 * @bug 6853328 7172701 8194486 27 * @summary Support OK-AS-DELEGATE flag 28 * @library /test/lib 29 * @run main jdk.test.lib.FileInstaller TestHosts TestHosts 30 * @run main/othervm -Djdk.net.hosts.file=TestHosts OkAsDelegate 31 * false true true false false false 32 * FORWARDABLE ticket not allowed, always fail 33 * @run main/othervm -Djdk.net.hosts.file=TestHosts OkAsDelegate 34 * true false false false false false 35 * Service ticket no OK-AS-DELEGATE. Request nothing, gain nothing 36 * @run main/othervm -Djdk.net.hosts.file=TestHosts OkAsDelegate 37 * true false true false false false 38 * Service ticket no OK-AS-DELEGATE. Request deleg policy, gain nothing 39 * @run main/othervm -Djdk.net.hosts.file=TestHosts OkAsDelegate 40 * true true false true false true 41 * Service ticket no OK-AS-DELEGATE. Request deleg, granted 42 * @run main/othervm -Djdk.net.hosts.file=TestHosts 43 * OkAsDelegate true true true true false true 44 * Service ticket no OK-AS-DELEGATE. Request deleg and deleg policy, granted, with info not by policy 45 * @run main/othervm -Djdk.net.hosts.file=TestHosts 46 * -Dtest.kdc.policy.ok-as-delegate OkAsDelegate 47 * true false true true true true 48 * Service ticket has OK-AS-DELEGATE. Request deleg policy, granted 49 * @run main/othervm -Djdk.net.hosts.file=TestHosts 50 * -Dtest.kdc.policy.ok-as-delegate OkAsDelegate 51 * true true true true true true 52 * Service ticket has OK-AS-DELEGATE. granted, with info by policy 53 * @run main/othervm -Djdk.net.hosts.file=TestHosts -Dtest.spnego 54 * OkAsDelegate false true true false false false 55 * @run main/othervm -Djdk.net.hosts.file=TestHosts -Dtest.spnego 56 * OkAsDelegate true false false false false false 57 * @run main/othervm -Djdk.net.hosts.file=TestHosts -Dtest.spnego 58 * OkAsDelegate true false true false false false 59 * @run main/othervm -Djdk.net.hosts.file=TestHosts -Dtest.spnego 60 * OkAsDelegate true true false true false true 61 * @run main/othervm -Djdk.net.hosts.file=TestHosts -Dtest.spnego 62 * OkAsDelegate true true true true false true 63 * @run main/othervm -Djdk.net.hosts.file=TestHosts -Dtest.spnego 64 * -Dtest.kdc.policy.ok-as-delegate OkAsDelegate 65 * true false true true true true 66 * @run main/othervm -Djdk.net.hosts.file=TestHosts -Dtest.spnego 67 * -Dtest.kdc.policy.ok-as-delegate OkAsDelegate 68 * true true true true true true 69 */ 70 import com.sun.security.jgss.ExtendedGSSContext; 71 import org.ietf.jgss.GSSContext; 72 import org.ietf.jgss.GSSCredential; 73 import org.ietf.jgss.GSSException; 74 import org.ietf.jgss.Oid; 75 import sun.security.jgss.GSSUtil; 76 import sun.security.krb5.Config; 77 78 public class OkAsDelegate { 79 main(String[] args)80 public static void main(String[] args) 81 throws Exception { 82 OkAsDelegate ok = new OkAsDelegate(); 83 ok.go( 84 Boolean.valueOf(args[0]), // FORWARDABLE in krb5.conf on? 85 Boolean.valueOf(args[1]), // requestDelegState 86 Boolean.valueOf(args[2]), // requestDelegPolicyState 87 Boolean.valueOf(args[3]), // DelegState in response 88 Boolean.valueOf(args[4]), // DelegPolicyState in response 89 Boolean.valueOf(args[5]) // getDelegCred OK? 90 ); 91 } 92 go( boolean forwardable, boolean requestDelegState, boolean requestDelegPolicyState, boolean delegState, boolean delegPolicyState, boolean delegated )93 void go( 94 boolean forwardable, 95 boolean requestDelegState, 96 boolean requestDelegPolicyState, 97 boolean delegState, 98 boolean delegPolicyState, 99 boolean delegated 100 ) throws Exception { 101 OneKDC kdc = new OneKDC(null); 102 kdc.setOption(KDC.Option.OK_AS_DELEGATE, 103 System.getProperty("test.kdc.policy.ok-as-delegate")); 104 kdc.writeJAASConf(); 105 if (!forwardable) { 106 // The default OneKDC always includes "forwardable = true" 107 // in krb5.conf, override it. 108 KDC.saveConfig(OneKDC.KRB5_CONF, kdc, 109 "default_keytab_name = " + OneKDC.KTAB); 110 Config.refresh(); 111 } 112 113 Context c, s; 114 c = Context.fromJAAS("client"); 115 s = Context.fromJAAS("com.sun.security.jgss.krb5.accept"); 116 117 Oid mech = GSSUtil.GSS_KRB5_MECH_OID; 118 if (System.getProperty("test.spnego") != null) { 119 mech = GSSUtil.GSS_SPNEGO_MECH_OID; 120 } 121 c.startAsClient(OneKDC.SERVER, mech); 122 ExtendedGSSContext cx = (ExtendedGSSContext)c.x(); 123 cx.requestCredDeleg(requestDelegState); 124 cx.requestDelegPolicy(requestDelegPolicyState); 125 s.startAsServer(mech); 126 GSSContext sx = s.x(); 127 128 Context.handshake(c, s); 129 130 if (cx.getCredDelegState() != delegState) { 131 throw new Exception("Initiator cred state error"); 132 } 133 if (sx.getCredDelegState() != delegState) { 134 throw new Exception("Acceptor cred state error"); 135 } 136 if (cx.getDelegPolicyState() != delegPolicyState) { 137 throw new Exception("Initiator cred policy state error"); 138 } 139 140 GSSCredential cred = null; 141 try { 142 cred = s.x().getDelegCred(); 143 } catch (GSSException e) { 144 // leave cred as null 145 } 146 147 if (delegated != (cred != null)) { 148 throw new Exception("get cred error"); 149 } 150 } 151 } 152