1/*
2 * Copyright (c) 2009, 2012, Oracle and/or its affiliates. All rights reserved.
3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
4 *
5 * This code is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License version 2 only, as
7 * published by the Free Software Foundation.
8 *
9 * This code is distributed in the hope that it will be useful, but WITHOUT
10 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
11 * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
12 * version 2 for more details (a copy is included in the LICENSE file that
13 * accompanied this code).
14 *
15 * You should have received a copy of the GNU General Public License version
16 * 2 along with this work; if not, write to the Free Software Foundation,
17 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
18 *
19 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
20 * or visit www.oracle.com if you need additional information or have any
21 * questions.
22 */
23
24/*
25 * @test
26 * @bug 6853328 7172701
27 * @run main/othervm OkAsDelegate false true true false false false
28 *      FORWARDABLE ticket not allowed, always fail
29 * @run main/othervm OkAsDelegate true false false false false false
30 *      Service ticket no OK-AS-DELEGATE. Request nothing, gain nothing
31 * @run main/othervm OkAsDelegate true false true false false false
32 *      Service ticket no OK-AS-DELEGATE. Request deleg policy, gain nothing
33 * @run main/othervm OkAsDelegate true true false true false true
34 *      Service ticket no OK-AS-DELEGATE. Request deleg, granted
35 * @run main/othervm OkAsDelegate true true true true false true
36 *      Service ticket no OK-AS-DELEGATE. Request deleg and deleg policy, granted, with info not by policy
37 * @run main/othervm -Dtest.kdc.policy.ok-as-delegate OkAsDelegate true false true true true true
38 *      Service ticket has OK-AS-DELEGATE. Request deleg policy, granted
39 * @run main/othervm -Dtest.kdc.policy.ok-as-delegate OkAsDelegate true true true true true true
40 *      Service ticket has OK-AS-DELEGATE. granted, with info by policy
41 * @run main/othervm -Dtest.spnego OkAsDelegate false true true false false false
42 * @run main/othervm -Dtest.spnego OkAsDelegate true false false false false false
43 * @run main/othervm -Dtest.spnego OkAsDelegate true false true false false false
44 * @run main/othervm -Dtest.spnego OkAsDelegate true true false true false true
45 * @run main/othervm -Dtest.spnego OkAsDelegate true true true true false true
46 * @run main/othervm -Dtest.spnego -Dtest.kdc.policy.ok-as-delegate OkAsDelegate true false true true true true
47 * @run main/othervm -Dtest.spnego -Dtest.kdc.policy.ok-as-delegate OkAsDelegate true true true true true true
48 * @summary Support OK-AS-DELEGATE flag
49 */
50import com.sun.security.jgss.ExtendedGSSContext;
51import org.ietf.jgss.GSSContext;
52import org.ietf.jgss.GSSCredential;
53import org.ietf.jgss.GSSException;
54import org.ietf.jgss.Oid;
55import sun.security.jgss.GSSUtil;
56import sun.security.krb5.Config;
57
58public class OkAsDelegate {
59
60    public static void main(String[] args)
61            throws Exception {
62        OkAsDelegate ok = new OkAsDelegate();
63        ok.go(
64                Boolean.valueOf(args[0]),   // FORWARDABLE in krb5.conf on?
65                Boolean.valueOf(args[1]),   // requestDelegState
66                Boolean.valueOf(args[2]),   // requestDelegPolicyState
67                Boolean.valueOf(args[3]),   // DelegState in response
68                Boolean.valueOf(args[4]),   // DelegPolicyState in response
69                Boolean.valueOf(args[5])    // getDelegCred OK?
70                );
71    }
72
73    void go(
74            boolean forwardable,
75            boolean requestDelegState,
76            boolean requestDelegPolicyState,
77            boolean delegState,
78            boolean delegPolicyState,
79            boolean delegated
80            ) throws Exception {
81        OneKDC kdc = new OneKDC(null);
82        kdc.setOption(KDC.Option.OK_AS_DELEGATE,
83                System.getProperty("test.kdc.policy.ok-as-delegate"));
84        kdc.writeJAASConf();
85        if (!forwardable) {
86            // The default OneKDC always includes "forwardable = true"
87            // in krb5.conf, override it.
88            KDC.saveConfig(OneKDC.KRB5_CONF, kdc,
89                    "default_keytab_name = " + OneKDC.KTAB);
90            Config.refresh();
91        }
92
93        Context c, s;
94        c = Context.fromJAAS("client");
95        s = Context.fromJAAS("com.sun.security.jgss.krb5.accept");
96
97        Oid mech = GSSUtil.GSS_KRB5_MECH_OID;
98        if (System.getProperty("test.spnego") != null) {
99            mech = GSSUtil.GSS_SPNEGO_MECH_OID;
100        }
101        c.startAsClient(OneKDC.SERVER, mech);
102        ExtendedGSSContext cx = (ExtendedGSSContext)c.x();
103        cx.requestCredDeleg(requestDelegState);
104        cx.requestDelegPolicy(requestDelegPolicyState);
105        s.startAsServer(mech);
106        GSSContext sx = s.x();
107
108        Context.handshake(c, s);
109
110        if (cx.getCredDelegState() != delegState) {
111            throw new Exception("Initiator cred state error");
112        }
113        if (sx.getCredDelegState() != delegState) {
114            throw new Exception("Acceptor cred state error");
115        }
116        if (cx.getDelegPolicyState() != delegPolicyState) {
117            throw new Exception("Initiator cred policy state error");
118        }
119
120        GSSCredential cred = null;
121        try {
122            cred = s.x().getDelegCred();
123        } catch (GSSException e) {
124            // leave cred as null
125        }
126
127        if (delegated != (cred != null)) {
128            throw new Exception("get cred error");
129        }
130    }
131}
132