| /* |
| * Copyright (c) 2012, Oracle and/or its affiliates. All rights reserved. |
| * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. |
| * |
| * This code is free software; you can redistribute it and/or modify it |
| * under the terms of the GNU General Public License version 2 only, as |
| * published by the Free Software Foundation. |
| * |
| * This code is distributed in the hope that it will be useful, but WITHOUT |
| * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or |
| * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License |
| * version 2 for more details (a copy is included in the LICENSE file that |
| * accompanied this code). |
| * |
| * You should have received a copy of the GNU General Public License version |
| * 2 along with this work; if not, write to the Free Software Foundation, |
| * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. |
| * |
| * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA |
| * or visit www.oracle.com if you need additional information or have any |
| * questions. |
| */ |
| |
| /* |
| * @test |
| * @bug 8044500 |
| * @summary Add kinit options and krb5.conf flags that allow users to |
| * obtain renewable tickets and specify ticket lifetimes |
| * @library ../../../../java/security/testlibrary/ |
| * @compile -XDignore.symbol.file Renewal.java |
| * @run main/othervm -Dsun.net.spi.nameservice.provider.1=ns,mock Renewal |
| */ |
| |
| import sun.security.jgss.GSSUtil; |
| import sun.security.krb5.Config; |
| import sun.security.krb5.internal.ccache.Credentials; |
| import sun.security.krb5.internal.ccache.FileCredentialsCache; |
| |
| import javax.security.auth.kerberos.KerberosTicket; |
| import java.util.Date; |
| import java.util.Random; |
| import java.util.Set; |
| |
| // The basic krb5 test skeleton you can copy from |
| public class Renewal { |
| |
| static OneKDC kdc; |
| static String clazz = "sun.security.krb5.internal.tools.Kinit"; |
| |
| public static void main(String[] args) throws Exception { |
| |
| kdc = new OneKDC(null); |
| kdc.writeJAASConf(); |
| kdc.setOption(KDC.Option.PREAUTH_REQUIRED, false); |
| |
| checkLogin(null, null, KDC.DEFAULT_LIFETIME, -1); |
| checkLogin("1h", null, 3600, -1); |
| checkLogin(null, "2d", KDC.DEFAULT_LIFETIME, 86400*2); |
| checkLogin("1h", "10h", 3600, 36000); |
| // When rtime is before till, use till as rtime |
| checkLogin("10h", "1h", 36000, 36000); |
| |
| try { |
| Class.forName(clazz); |
| } catch (ClassNotFoundException cnfe) { |
| return; |
| } |
| |
| checkKinit(null, null, null, null, KDC.DEFAULT_LIFETIME, -1); |
| checkKinit("1h", "10h", null, null, 3600, 36000); |
| checkKinit(null, null, "30m", "5h", 1800, 18000); |
| checkKinit("1h", "10h", "30m", "5h", 1800, 18000); |
| |
| checkKinitRenew(); |
| } |
| |
| static int count = 0; |
| |
| static void checkKinit( |
| String s1, // ticket_lifetime in krb5.conf, null if none |
| String s2, // renew_lifetime in krb5.conf, null if none |
| String c1, // -l on kinit, null if none |
| String c2, // -r on kinit, null if none |
| int t1, int t2 // expected lifetimes, -1 of unexpected |
| ) throws Exception { |
| KDC.saveConfig(OneKDC.KRB5_CONF, kdc, |
| s1 != null ? ("ticket_lifetime = " + s1) : "", |
| s2 != null ? ("renew_lifetime = " + s2) : ""); |
| Proc p = Proc.create(clazz); |
| if (c1 != null) { |
| p.args("-l", c1); |
| } |
| if (c2 != null) { |
| p.args("-r", c2); |
| } |
| count++; |
| p.args(OneKDC.USER, new String(OneKDC.PASS)) |
| .inheritIO() |
| .prop("sun.net.spi.nameservice.provider.1", "ns,mock") |
| .prop("java.security.krb5.conf", OneKDC.KRB5_CONF) |
| .env("KRB5CCNAME", "ccache" + count) |
| .start(); |
| if (p.waitFor() != 0) { |
| throw new Exception(); |
| } |
| FileCredentialsCache fcc = |
| FileCredentialsCache.acquireInstance(null, "ccache" + count); |
| Credentials cred = fcc.getDefaultCreds(); |
| checkRough(cred.getEndTime().toDate(), t1); |
| if (cred.getRenewTill() == null) { |
| checkRough(null, t2); |
| } else { |
| checkRough(cred.getRenewTill().toDate(), t2); |
| } |
| } |
| |
| static void checkKinitRenew() throws Exception { |
| Proc p = Proc.create(clazz) |
| .args("-R") |
| .inheritIO() |
| .prop("sun.net.spi.nameservice.provider.1", "ns,mock") |
| .prop("java.security.krb5.conf", OneKDC.KRB5_CONF) |
| .env("KRB5CCNAME", "ccache" + count) |
| .start(); |
| if (p.waitFor() != 0) { |
| throw new Exception(); |
| } |
| } |
| |
| static void checkLogin( |
| String s1, // ticket_lifetime in krb5.conf, null if none |
| String s2, // renew_lifetime in krb5.conf, null if none |
| int t1, int t2 // expected lifetimes, -1 of unexpected |
| ) throws Exception { |
| KDC.saveConfig(OneKDC.KRB5_CONF, kdc, |
| s1 != null ? ("ticket_lifetime = " + s1) : "", |
| s2 != null ? ("renew_lifetime = " + s2) : ""); |
| Config.refresh(); |
| |
| Context c; |
| c = Context.fromJAAS("client"); |
| |
| Set<KerberosTicket> tickets = |
| c.s().getPrivateCredentials(KerberosTicket.class); |
| if (tickets.size() != 1) { |
| throw new Exception(); |
| } |
| KerberosTicket ticket = tickets.iterator().next(); |
| |
| checkRough(ticket.getEndTime(), t1); |
| checkRough(ticket.getRenewTill(), t2); |
| } |
| |
| static void checkRough(Date t, int duration) throws Exception { |
| Date now = new Date(); |
| if (t == null && duration == -1) { |
| return; |
| } |
| long change = (t.getTime() - System.currentTimeMillis()) / 1000; |
| if (change > duration + 20 || change < duration - 20) { |
| throw new Exception(t + " is not " + duration); |
| } |
| } |
| } |