1
/*
2
 * Copyright (c) 2015, 2018, Oracle and/or its affiliates. All rights reserved.
3
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
4
 *
5
 * This code is free software; you can redistribute it and/or modify it
6
 * under the terms of the GNU General Public License version 2 only, as
7
 * published by the Free Software Foundation.
8
 *
9
 * This code is distributed in the hope that it will be useful, but WITHOUT
10
 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
11
 * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
12
 * version 2 for more details (a copy is included in the LICENSE file that
13
 * accompanied this code).
14
 *
15
 * You should have received a copy of the GNU General Public License version
16
 * 2 along with this work; if not, write to the Free Software Foundation,
17
 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
18
 *
19
 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
20
 * or visit www.oracle.com if you need additional information or have any
21
 * questions.
22
 */
23

24
import java.nio.file.Files;
25
import java.nio.file.Paths;
26
import java.time.Instant;
27
import java.util.Arrays;
28
import java.util.HashMap;
29
import java.util.Map;
30
import java.util.Set;
31
import javax.security.auth.RefreshFailedException;
32
import javax.security.auth.Subject;
33
import javax.security.auth.kerberos.KerberosTicket;
34
import javax.security.auth.login.LoginContext;
35

36
/*
37
 * @test
38
 * @bug 6857795 8075299 8194486
39
 * @summary Checks Kerberos ticket properties
40
 * @library /test/lib
41
 * @run main jdk.test.lib.FileInstaller TestHosts TestHosts
42
 * @run main/othervm -Djdk.net.hosts.file=TestHosts KrbTicket
43
 */
44
public class KrbTicket {
45

46
    private static final String REALM = "TEST.REALM";
47
    private static final String HOST = "localhost";
48
    private static final String USER = "TESTER";
49
    private static final String USER_PRINCIPAL = USER + "@" + REALM;
50
    private static final String PASSWORD = "password";
51
    private static final String KRBTGT_PRINCIPAL = "krbtgt/" + REALM;
52
    private static final String KRB5_CONF_FILENAME = "krb5.conf";
53
    private static final String JAAS_CONF = "jaas.conf";
54
    private static final long TICKET_LIFTETIME = 5 * 60 * 1000; // 5 mins
55

56
    public static void main(String[] args) throws Exception {
57
        // define principals
58
        Map<String, String> principals = new HashMap<>();
59
        principals.put(USER_PRINCIPAL, PASSWORD);
60
        principals.put(KRBTGT_PRINCIPAL, null);
61

62
        System.setProperty("java.security.krb5.conf", KRB5_CONF_FILENAME);
63

64
        // start a local KDC instance
65
        KDC kdc = KDC.startKDC(HOST, null, REALM, principals, null, null);
66
        KDC.saveConfig(KRB5_CONF_FILENAME, kdc,
67
                "forwardable = true", "proxiable = true");
68

69
        // create JAAS config
70
        Files.write(Paths.get(JAAS_CONF), Arrays.asList(
71
                "Client {",
72
                "    com.sun.security.auth.module.Krb5LoginModule required;",
73
                "};"
74
        ));
75
        System.setProperty("java.security.auth.login.config", JAAS_CONF);
76
        System.setProperty("javax.security.auth.useSubjectCredsOnly", "false");
77

78
        long startTime = Instant.now().getEpochSecond() * 1000;
79

80
        LoginContext lc = new LoginContext("Client",
81
                new Helper.UserPasswordHandler(USER, PASSWORD));
82
        lc.login();
83

84
        Subject subject = lc.getSubject();
85
        System.out.println("subject: " + subject);
86

87
        Set creds = subject.getPrivateCredentials(
88
                KerberosTicket.class);
89

90
        if (creds.size() > 1) {
91
            throw new RuntimeException("Multiple credintials found");
92
        }
93

94
        Object o = creds.iterator().next();
95
        if (!(o instanceof KerberosTicket)) {
96
            throw new RuntimeException("Instance of KerberosTicket expected");
97
        }
98
        KerberosTicket krbTkt = (KerberosTicket) o;
99

100
        System.out.println("forwardable = " + krbTkt.isForwardable());
101
        System.out.println("proxiable   = " + krbTkt.isProxiable());
102
        System.out.println("renewable   = " + krbTkt.isRenewable());
103
        System.out.println("current     = " + krbTkt.isCurrent());
104

105
        if (!krbTkt.isForwardable()) {
106
            throw new RuntimeException("Forwardable ticket expected");
107
        }
108

109
        if (!krbTkt.isProxiable()) {
110
            throw new RuntimeException("Proxiable ticket expected");
111
        }
112

113
        if (!krbTkt.isCurrent()) {
114
            throw new RuntimeException("Ticket is not current");
115
        }
116

117
        if (krbTkt.isRenewable()) {
118
            throw new RuntimeException("Not renewable ticket expected");
119
        }
120
        try {
121
            krbTkt.refresh();
122
            throw new RuntimeException(
123
                    "Expected RefreshFailedException not thrown");
124
        } catch(RefreshFailedException e) {
125
            System.out.println("Expected exception: " + e);
126
        }
127

128
        if (!checkTime(krbTkt, startTime)) {
129
            throw new RuntimeException("Wrong ticket life time");
130
        }
131

132
        krbTkt.destroy();
133
        if (!krbTkt.isDestroyed()) {
134
            throw new RuntimeException("Ticket not destroyed");
135
        }
136

137
        System.out.println("Test passed");
138
    }
139

140
    private static boolean checkTime(KerberosTicket krbTkt, long startTime) {
141
        long ticketEndTime = krbTkt.getEndTime().getTime();
142
        long roughLifeTime = ticketEndTime - startTime;
143
        System.out.println("start time            = " + startTime);
144
        System.out.println("end time              = " + ticketEndTime);
145
        System.out.println("rough life time       = " + roughLifeTime);
146
        return roughLifeTime >= TICKET_LIFTETIME;
147
    }
148
}
149

150