1/* 2 * Copyright (c) 2009, 2012, Oracle and/or its affiliates. All rights reserved. 3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. 4 * 5 * This code is free software; you can redistribute it and/or modify it 6 * under the terms of the GNU General Public License version 2 only, as 7 * published by the Free Software Foundation. 8 * 9 * This code is distributed in the hope that it will be useful, but WITHOUT 10 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or 11 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License 12 * version 2 for more details (a copy is included in the LICENSE file that 13 * accompanied this code). 14 * 15 * You should have received a copy of the GNU General Public License version 16 * 2 along with this work; if not, write to the Free Software Foundation, 17 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. 18 * 19 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA 20 * or visit www.oracle.com if you need additional information or have any 21 * questions. 22 */ 23 24/* 25 * @test 26 * @bug 6853328 7172701 27 * @run main/othervm OkAsDelegate false true true false false false 28 * FORWARDABLE ticket not allowed, always fail 29 * @run main/othervm OkAsDelegate true false false false false false 30 * Service ticket no OK-AS-DELEGATE. Request nothing, gain nothing 31 * @run main/othervm OkAsDelegate true false true false false false 32 * Service ticket no OK-AS-DELEGATE. Request deleg policy, gain nothing 33 * @run main/othervm OkAsDelegate true true false true false true 34 * Service ticket no OK-AS-DELEGATE. Request deleg, granted 35 * @run main/othervm OkAsDelegate true true true true false true 36 * Service ticket no OK-AS-DELEGATE. Request deleg and deleg policy, granted, with info not by policy 37 * @run main/othervm -Dtest.kdc.policy.ok-as-delegate OkAsDelegate true false true true true true 38 * Service ticket has OK-AS-DELEGATE. Request deleg policy, granted 39 * @run main/othervm -Dtest.kdc.policy.ok-as-delegate OkAsDelegate true true true true true true 40 * Service ticket has OK-AS-DELEGATE. granted, with info by policy 41 * @run main/othervm -Dtest.spnego OkAsDelegate false true true false false false 42 * @run main/othervm -Dtest.spnego OkAsDelegate true false false false false false 43 * @run main/othervm -Dtest.spnego OkAsDelegate true false true false false false 44 * @run main/othervm -Dtest.spnego OkAsDelegate true true false true false true 45 * @run main/othervm -Dtest.spnego OkAsDelegate true true true true false true 46 * @run main/othervm -Dtest.spnego -Dtest.kdc.policy.ok-as-delegate OkAsDelegate true false true true true true 47 * @run main/othervm -Dtest.spnego -Dtest.kdc.policy.ok-as-delegate OkAsDelegate true true true true true true 48 * @summary Support OK-AS-DELEGATE flag 49 */ 50import com.sun.security.jgss.ExtendedGSSContext; 51import org.ietf.jgss.GSSContext; 52import org.ietf.jgss.GSSCredential; 53import org.ietf.jgss.GSSException; 54import org.ietf.jgss.Oid; 55import sun.security.jgss.GSSUtil; 56import sun.security.krb5.Config; 57 58public class OkAsDelegate { 59 60 public static void main(String[] args) 61 throws Exception { 62 OkAsDelegate ok = new OkAsDelegate(); 63 ok.go( 64 Boolean.valueOf(args[0]), // FORWARDABLE in krb5.conf on? 65 Boolean.valueOf(args[1]), // requestDelegState 66 Boolean.valueOf(args[2]), // requestDelegPolicyState 67 Boolean.valueOf(args[3]), // DelegState in response 68 Boolean.valueOf(args[4]), // DelegPolicyState in response 69 Boolean.valueOf(args[5]) // getDelegCred OK? 70 ); 71 } 72 73 void go( 74 boolean forwardable, 75 boolean requestDelegState, 76 boolean requestDelegPolicyState, 77 boolean delegState, 78 boolean delegPolicyState, 79 boolean delegated 80 ) throws Exception { 81 OneKDC kdc = new OneKDC(null); 82 kdc.setOption(KDC.Option.OK_AS_DELEGATE, 83 System.getProperty("test.kdc.policy.ok-as-delegate")); 84 kdc.writeJAASConf(); 85 if (!forwardable) { 86 // The default OneKDC always includes "forwardable = true" 87 // in krb5.conf, override it. 88 KDC.saveConfig(OneKDC.KRB5_CONF, kdc, 89 "default_keytab_name = " + OneKDC.KTAB); 90 Config.refresh(); 91 } 92 93 Context c, s; 94 c = Context.fromJAAS("client"); 95 s = Context.fromJAAS("com.sun.security.jgss.krb5.accept"); 96 97 Oid mech = GSSUtil.GSS_KRB5_MECH_OID; 98 if (System.getProperty("test.spnego") != null) { 99 mech = GSSUtil.GSS_SPNEGO_MECH_OID; 100 } 101 c.startAsClient(OneKDC.SERVER, mech); 102 ExtendedGSSContext cx = (ExtendedGSSContext)c.x(); 103 cx.requestCredDeleg(requestDelegState); 104 cx.requestDelegPolicy(requestDelegPolicyState); 105 s.startAsServer(mech); 106 GSSContext sx = s.x(); 107 108 Context.handshake(c, s); 109 110 if (cx.getCredDelegState() != delegState) { 111 throw new Exception("Initiator cred state error"); 112 } 113 if (sx.getCredDelegState() != delegState) { 114 throw new Exception("Acceptor cred state error"); 115 } 116 if (cx.getDelegPolicyState() != delegPolicyState) { 117 throw new Exception("Initiator cred policy state error"); 118 } 119 120 GSSCredential cred = null; 121 try { 122 cred = s.x().getDelegCred(); 123 } catch (GSSException e) { 124 // leave cred as null 125 } 126 127 if (delegated != (cred != null)) { 128 throw new Exception("get cred error"); 129 } 130 } 131} 132