1   /*
2    *  Licensed to the Apache Software Foundation (ASF) under one
3    *  or more contributor license agreements.  See the NOTICE file
4    *  distributed with this work for additional information
5    *  regarding copyright ownership.  The ASF licenses this file
6    *  to you under the Apache License, Version 2.0 (the
7    *  "License"); you may not use this file except in compliance
8    *  with the License.  You may obtain a copy of the License at
9    *  
10   *    http://www.apache.org/licenses/LICENSE-2.0
11   *  
12   *  Unless required by applicable law or agreed to in writing,
13   *  software distributed under the License is distributed on an
14   *  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
15   *  KIND, either express or implied.  See the License for the
16   *  specific language governing permissions and limitations
17   *  under the License. 
18   *  
19   */
20  package org.apache.directory.server.kerberos.protocol;
21  
22  
23  import java.net.InetAddress;
24  
25  import javax.security.auth.kerberos.KerberosPrincipal;
26  
27  import org.apache.directory.server.kerberos.kdc.KdcServer;
28  import org.apache.directory.server.kerberos.shared.crypto.encryption.CipherTextHandler;
29  import org.apache.directory.server.kerberos.shared.messages.ErrorMessage;
30  import org.apache.directory.server.kerberos.shared.messages.KdcRequest;
31  import org.apache.directory.server.kerberos.shared.messages.components.EncTicketPartModifier;
32  import org.apache.directory.server.kerberos.shared.messages.components.Ticket;
33  import org.apache.directory.server.kerberos.shared.messages.value.EncryptionKey;
34  import org.apache.directory.server.kerberos.shared.messages.value.HostAddress;
35  import org.apache.directory.server.kerberos.shared.messages.value.HostAddresses;
36  import org.apache.directory.server.kerberos.shared.messages.value.KdcOptions;
37  import org.apache.directory.server.kerberos.shared.messages.value.KerberosTime;
38  import org.apache.directory.server.kerberos.shared.messages.value.RequestBody;
39  import org.apache.directory.server.kerberos.shared.messages.value.RequestBodyModifier;
40  import org.apache.directory.server.kerberos.shared.messages.value.flags.TicketFlag;
41  import org.apache.directory.server.kerberos.shared.store.PrincipalStore;
42  
43  
44  /**
45   * Tests configuration of Ticket-Granting Service (TGS) policy.
46   *
47   * @author <a href="mailto:dev@directory.apache.org">Apache Directory Project</a>
48   * @version $Rev$, $Date$
49   */
50  public class TicketGrantingPolicyTest extends AbstractTicketGrantingServiceTest
51  {
52      private KdcServer config;
53      private PrincipalStore store;
54      private KerberosProtocolHandler handler;
55      private DummySession session;
56  
57  
58      /**
59       * Creates a new instance of {@link TicketGrantingPolicyTest}.
60       */
61      public TicketGrantingPolicyTest()
62      {
63          config = new KdcServer();
64  
65          /*
66           * Body checksum verification must be disabled because we are bypassing
67           * the codecs, where the body bytes are set on the KdcRequest message.
68           */
69          config.setBodyChecksumVerified( false );
70  
71          store = new MapPrincipalStoreImpl();
72          handler = new KerberosProtocolHandler( config, store );
73          session = new DummySession();
74          lockBox = new CipherTextHandler();
75      }
76  
77  
78      /**
79       * Tests when forwardable tickets are disallowed that requests for
80       * forwardable tickets fail with the correct error message.
81       *
82       * @throws Exception
83       */
84      public void testForwardableTicket() throws Exception
85      {
86          // Deny FORWARDABLE tickets in policy.
87          config.setForwardableAllowed( false );
88  
89          // Get the mutable ticket part.
90          KerberosPrincipal clientPrincipal = new KerberosPrincipal( "hnelson@EXAMPLE.COM" );
91          EncTicketPartModifier encTicketPartModifier = getTicketArchetype( clientPrincipal );
92  
93          // Make changes to test.
94          encTicketPartModifier.setFlag( TicketFlag.FORWARDABLE );
95  
96          // Seal the ticket for the server.
97          KerberosPrincipal serverPrincipal = new KerberosPrincipal( "krbtgt/EXAMPLE.COM@EXAMPLE.COM" );
98          String passPhrase = "randomKey";
99          EncryptionKey serverKey = getEncryptionKey( serverPrincipal, passPhrase );
100         Ticket tgt = getTicket( encTicketPartModifier, serverPrincipal, serverKey );
101 
102         RequestBodyModifier modifier = new RequestBodyModifier();
103         modifier.setServerName( getPrincipalName( "ldap/ldap.example.com@EXAMPLE.COM" ) );
104         modifier.setRealm( "EXAMPLE.COM" );
105         modifier.setEType( config.getEncryptionTypes() );
106         modifier.setNonce( random.nextInt() );
107 
108         KdcOptions kdcOptions = new KdcOptions();
109         kdcOptions.set( KdcOptions.FORWARDABLE );
110         modifier.setKdcOptions( kdcOptions );
111 
112         long now = System.currentTimeMillis();
113 
114         KerberosTime requestedEndTime = new KerberosTime( now + 1 * KerberosTime.DAY );
115         modifier.setTill( requestedEndTime );
116 
117         RequestBody requestBody = modifier.getRequestBody();
118         KdcRequest message = getKdcRequest( tgt, requestBody );
119 
120         handler.messageReceived( session, message );
121 
122         ErrorMessage error = ( ErrorMessage ) session.getMessage();
123         assertEquals( "KDC policy rejects request", 12, error.getErrorCode() );
124     }
125 
126 
127     /**
128      * Tests when forwardable tickets are disallowed that requests for
129      * forwarded tickets fail with the correct error message.
130      *
131      * @throws Exception
132      */
133     public void testForwardedTicket() throws Exception
134     {
135         // Deny FORWARDABLE tickets in policy.
136         config.setForwardableAllowed( false );
137 
138         // Get the mutable ticket part.
139         KerberosPrincipal clientPrincipal = new KerberosPrincipal( "hnelson@EXAMPLE.COM" );
140         EncTicketPartModifier encTicketPartModifier = getTicketArchetype( clientPrincipal );
141 
142         // Make changes to test.
143         encTicketPartModifier.setFlag( TicketFlag.FORWARDABLE );
144 
145         // Seal the ticket for the server.
146         KerberosPrincipal serverPrincipal = new KerberosPrincipal( "krbtgt/EXAMPLE.COM@EXAMPLE.COM" );
147         String passPhrase = "randomKey";
148         EncryptionKey serverKey = getEncryptionKey( serverPrincipal, passPhrase );
149         Ticket tgt = getTicket( encTicketPartModifier, serverPrincipal, serverKey );
150 
151         RequestBodyModifier modifier = new RequestBodyModifier();
152         modifier.setServerName( getPrincipalName( "ldap/ldap.example.com@EXAMPLE.COM" ) );
153         modifier.setRealm( "EXAMPLE.COM" );
154         modifier.setEType( config.getEncryptionTypes() );
155         modifier.setNonce( random.nextInt() );
156 
157         KdcOptions kdcOptions = new KdcOptions();
158         kdcOptions.set( KdcOptions.FORWARDED );
159         modifier.setKdcOptions( kdcOptions );
160 
161         long now = System.currentTimeMillis();
162 
163         KerberosTime requestedEndTime = new KerberosTime( now + 1 * KerberosTime.DAY );
164         modifier.setTill( requestedEndTime );
165 
166         RequestBody requestBody = modifier.getRequestBody();
167         KdcRequest message = getKdcRequest( tgt, requestBody );
168 
169         handler.messageReceived( session, message );
170 
171         ErrorMessage error = ( ErrorMessage ) session.getMessage();
172         assertEquals( "KDC policy rejects request", 12, error.getErrorCode() );
173     }
174 
175 
176     /**
177      * Tests when empty addresses are disallowed and forwarded tickets are requested
178      * that requests with no addresses fail with the correct error message.
179      *
180      * @throws Exception
181      */
182     public void testForwardedNoAddressesTicket() throws Exception
183     {
184         // Deny empty addresses tickets in policy.
185         config.setEmptyAddressesAllowed( false );
186 
187         // Get the mutable ticket part.
188         KerberosPrincipal clientPrincipal = new KerberosPrincipal( "hnelson@EXAMPLE.COM" );
189         EncTicketPartModifier encTicketPartModifier = getTicketArchetype( clientPrincipal );
190 
191         // Make changes to test.
192         encTicketPartModifier.setFlag( TicketFlag.FORWARDABLE );
193 
194         HostAddress[] address =
195                 {new HostAddress( InetAddress.getByAddress( new byte[4] ) )};
196         HostAddresses addresses = new HostAddresses( address );
197         encTicketPartModifier.setClientAddresses( addresses );
198 
199         // Seal the ticket for the server.
200         KerberosPrincipal serverPrincipal = new KerberosPrincipal( "krbtgt/EXAMPLE.COM@EXAMPLE.COM" );
201         String passPhrase = "randomKey";
202         EncryptionKey serverKey = getEncryptionKey( serverPrincipal, passPhrase );
203         Ticket tgt = getTicket( encTicketPartModifier, serverPrincipal, serverKey );
204 
205         RequestBodyModifier modifier = new RequestBodyModifier();
206         modifier.setServerName( getPrincipalName( "ldap/ldap.example.com@EXAMPLE.COM" ) );
207         modifier.setRealm( "EXAMPLE.COM" );
208         modifier.setEType( config.getEncryptionTypes() );
209         modifier.setNonce( random.nextInt() );
210 
211         KdcOptions kdcOptions = new KdcOptions();
212         kdcOptions.set( KdcOptions.FORWARDED );
213         modifier.setKdcOptions( kdcOptions );
214 
215         long now = System.currentTimeMillis();
216 
217         KerberosTime requestedEndTime = new KerberosTime( now + 1 * KerberosTime.DAY );
218         modifier.setTill( requestedEndTime );
219 
220         RequestBody requestBody = modifier.getRequestBody();
221         KdcRequest message = getKdcRequest( tgt, requestBody );
222 
223         handler.messageReceived( session, message );
224 
225         ErrorMessage error = ( ErrorMessage ) session.getMessage();
226         assertEquals( "KDC policy rejects request", 12, error.getErrorCode() );
227     }
228 
229 
230     /**
231      * Tests when proxiable tickets are disallowed that requests for
232      * proxiable tickets fail with the correct error message.
233      *
234      * @throws Exception
235      */
236     public void testProxiableTicket() throws Exception
237     {
238         // Deny PROXIABLE tickets in policy.
239         config.setProxiableAllowed( false );
240 
241         // Get the mutable ticket part.
242         KerberosPrincipal clientPrincipal = new KerberosPrincipal( "hnelson@EXAMPLE.COM" );
243         EncTicketPartModifier encTicketPartModifier = getTicketArchetype( clientPrincipal );
244 
245         // Make changes to test.
246         encTicketPartModifier.setFlag( TicketFlag.PROXIABLE );
247 
248         // Seal the ticket for the server.
249         KerberosPrincipal serverPrincipal = new KerberosPrincipal( "krbtgt/EXAMPLE.COM@EXAMPLE.COM" );
250         String passPhrase = "randomKey";
251         EncryptionKey serverKey = getEncryptionKey( serverPrincipal, passPhrase );
252         Ticket tgt = getTicket( encTicketPartModifier, serverPrincipal, serverKey );
253 
254         RequestBodyModifier modifier = new RequestBodyModifier();
255         modifier.setServerName( getPrincipalName( "ldap/ldap.example.com@EXAMPLE.COM" ) );
256         modifier.setRealm( "EXAMPLE.COM" );
257         modifier.setEType( config.getEncryptionTypes() );
258         modifier.setNonce( random.nextInt() );
259 
260         KdcOptions kdcOptions = new KdcOptions();
261         kdcOptions.set( KdcOptions.PROXIABLE );
262         modifier.setKdcOptions( kdcOptions );
263 
264         long now = System.currentTimeMillis();
265 
266         KerberosTime requestedEndTime = new KerberosTime( now + 1 * KerberosTime.DAY );
267         modifier.setTill( requestedEndTime );
268 
269         RequestBody requestBody = modifier.getRequestBody();
270         KdcRequest message = getKdcRequest( tgt, requestBody );
271 
272         handler.messageReceived( session, message );
273 
274         ErrorMessage error = ( ErrorMessage ) session.getMessage();
275         assertEquals( "KDC policy rejects request", 12, error.getErrorCode() );
276     }
277 
278 
279     /**
280      * Tests when proxiable tickets are disallowed that requests for
281      * proxy tickets fail with the correct error message.
282      *
283      * @throws Exception
284      */
285     public void testProxyTicket() throws Exception
286     {
287         // Deny PROXIABLE tickets in policy.
288         config.setProxiableAllowed( false );
289 
290         // Get the mutable ticket part.
291         KerberosPrincipal clientPrincipal = new KerberosPrincipal( "hnelson@EXAMPLE.COM" );
292         EncTicketPartModifier encTicketPartModifier = getTicketArchetype( clientPrincipal );
293 
294         // Make changes to test.
295         encTicketPartModifier.setFlag( TicketFlag.PROXIABLE );
296 
297         // Seal the ticket for the server.
298         KerberosPrincipal serverPrincipal = new KerberosPrincipal( "krbtgt/EXAMPLE.COM@EXAMPLE.COM" );
299         String passPhrase = "randomKey";
300         EncryptionKey serverKey = getEncryptionKey( serverPrincipal, passPhrase );
301         Ticket tgt = getTicket( encTicketPartModifier, serverPrincipal, serverKey );
302 
303         RequestBodyModifier modifier = new RequestBodyModifier();
304         modifier.setServerName( getPrincipalName( "ldap/ldap.example.com@EXAMPLE.COM" ) );
305         modifier.setRealm( "EXAMPLE.COM" );
306         modifier.setEType( config.getEncryptionTypes() );
307         modifier.setNonce( random.nextInt() );
308 
309         KdcOptions kdcOptions = new KdcOptions();
310         kdcOptions.set( KdcOptions.PROXY );
311         modifier.setKdcOptions( kdcOptions );
312 
313         long now = System.currentTimeMillis();
314 
315         KerberosTime requestedEndTime = new KerberosTime( now + 1 * KerberosTime.DAY );
316         modifier.setTill( requestedEndTime );
317 
318         HostAddress[] address =
319                 {new HostAddress( InetAddress.getLocalHost() )};
320         HostAddresses addresses = new HostAddresses( address );
321         modifier.setAddresses( addresses );
322 
323         RequestBody requestBody = modifier.getRequestBody();
324         KdcRequest message = getKdcRequest( tgt, requestBody );
325 
326         handler.messageReceived( session, message );
327 
328         ErrorMessage error = ( ErrorMessage ) session.getMessage();
329         assertEquals( "KDC policy rejects request", 12, error.getErrorCode() );
330     }
331 
332 
333     /**
334      * Tests when empty addresses are disallowed and proxy tickets are requested
335      * that requests with no addresses fail with the correct error message.
336      *
337      * @throws Exception
338      */
339     public void testProxyNoAddressesTicket() throws Exception
340     {
341         // Deny empty addresses tickets in policy.
342         config.setEmptyAddressesAllowed( false );
343 
344         // Get the mutable ticket part.
345         KerberosPrincipal clientPrincipal = new KerberosPrincipal( "hnelson@EXAMPLE.COM" );
346         EncTicketPartModifier encTicketPartModifier = getTicketArchetype( clientPrincipal );
347 
348         // Make changes to test.
349         encTicketPartModifier.setFlag( TicketFlag.PROXIABLE );
350 
351         HostAddress[] address =
352                 {new HostAddress( InetAddress.getByAddress( new byte[4] ) )};
353         HostAddresses addresses = new HostAddresses( address );
354         encTicketPartModifier.setClientAddresses( addresses );
355 
356         // Seal the ticket for the server.
357         KerberosPrincipal serverPrincipal = new KerberosPrincipal( "krbtgt/EXAMPLE.COM@EXAMPLE.COM" );
358         String passPhrase = "randomKey";
359         EncryptionKey serverKey = getEncryptionKey( serverPrincipal, passPhrase );
360         Ticket tgt = getTicket( encTicketPartModifier, serverPrincipal, serverKey );
361 
362         RequestBodyModifier modifier = new RequestBodyModifier();
363         modifier.setServerName( getPrincipalName( "ldap/ldap.example.com@EXAMPLE.COM" ) );
364         modifier.setRealm( "EXAMPLE.COM" );
365         modifier.setEType( config.getEncryptionTypes() );
366         modifier.setNonce( random.nextInt() );
367 
368         KdcOptions kdcOptions = new KdcOptions();
369         kdcOptions.set( KdcOptions.PROXY );
370         modifier.setKdcOptions( kdcOptions );
371 
372         long now = System.currentTimeMillis();
373 
374         KerberosTime requestedEndTime = new KerberosTime( now + 1 * KerberosTime.DAY );
375         modifier.setTill( requestedEndTime );
376 
377         RequestBody requestBody = modifier.getRequestBody();
378         KdcRequest message = getKdcRequest( tgt, requestBody );
379 
380         handler.messageReceived( session, message );
381 
382         ErrorMessage error = ( ErrorMessage ) session.getMessage();
383         assertEquals( "KDC policy rejects request", 12, error.getErrorCode() );
384     }
385 
386 
387     /**
388      * Tests when postdated tickets are disallowed that requests for
389      * ALLOW-POSTDATE tickets fail with the correct error message.
390      *
391      * @throws Exception
392      */
393     public void testAllowPostdate() throws Exception
394     {
395         // Deny ALLOW_POSTDATE tickets in policy.
396         config.setPostdatedAllowed( false );
397 
398         // Get the mutable ticket part.
399         KerberosPrincipal clientPrincipal = new KerberosPrincipal( "hnelson@EXAMPLE.COM" );
400         EncTicketPartModifier encTicketPartModifier = getTicketArchetype( clientPrincipal );
401 
402         // Make changes to test.
403         encTicketPartModifier.setFlag( TicketFlag.MAY_POSTDATE );
404 
405         // Seal the ticket for the server.
406         KerberosPrincipal serverPrincipal = new KerberosPrincipal( "krbtgt/EXAMPLE.COM@EXAMPLE.COM" );
407         String passPhrase = "randomKey";
408         EncryptionKey serverKey = getEncryptionKey( serverPrincipal, passPhrase );
409         Ticket tgt = getTicket( encTicketPartModifier, serverPrincipal, serverKey );
410 
411         RequestBodyModifier modifier = new RequestBodyModifier();
412         modifier.setServerName( getPrincipalName( "ldap/ldap.example.com@EXAMPLE.COM" ) );
413         modifier.setRealm( "EXAMPLE.COM" );
414         modifier.setEType( config.getEncryptionTypes() );
415         modifier.setNonce( random.nextInt() );
416 
417         KdcOptions kdcOptions = new KdcOptions();
418         kdcOptions.set( KdcOptions.ALLOW_POSTDATE );
419         modifier.setKdcOptions( kdcOptions );
420 
421         long now = System.currentTimeMillis();
422 
423         KerberosTime requestedEndTime = new KerberosTime( now + 1 * KerberosTime.DAY );
424         modifier.setTill( requestedEndTime );
425 
426         RequestBody requestBody = modifier.getRequestBody();
427         KdcRequest message = getKdcRequest( tgt, requestBody );
428 
429         handler.messageReceived( session, message );
430 
431         ErrorMessage error = ( ErrorMessage ) session.getMessage();
432         assertEquals( "KDC policy rejects request", 12, error.getErrorCode() );
433     }
434 
435 
436     /**
437      * Tests when postdated tickets are disallowed that requests for
438      * postdated tickets fail with the correct error message.
439      *
440      * @throws Exception
441      */
442     public void testPostdated() throws Exception
443     {
444         // Deny POSTDATED tickets in policy.
445         config.setPostdatedAllowed( false );
446 
447         // Get the mutable ticket part.
448         KerberosPrincipal clientPrincipal = new KerberosPrincipal( "hnelson@EXAMPLE.COM" );
449         EncTicketPartModifier encTicketPartModifier = getTicketArchetype( clientPrincipal );
450 
451         // Make changes to test.
452         encTicketPartModifier.setFlag( TicketFlag.MAY_POSTDATE );
453 
454         // Seal the ticket for the server.
455         KerberosPrincipal serverPrincipal = new KerberosPrincipal( "krbtgt/EXAMPLE.COM@EXAMPLE.COM" );
456         String passPhrase = "randomKey";
457         EncryptionKey serverKey = getEncryptionKey( serverPrincipal, passPhrase );
458         Ticket tgt = getTicket( encTicketPartModifier, serverPrincipal, serverKey );
459 
460         RequestBodyModifier modifier = new RequestBodyModifier();
461         modifier.setServerName( getPrincipalName( "ldap/ldap.example.com@EXAMPLE.COM" ) );
462         modifier.setRealm( "EXAMPLE.COM" );
463         modifier.setEType( config.getEncryptionTypes() );
464         modifier.setNonce( random.nextInt() );
465 
466         KdcOptions kdcOptions = new KdcOptions();
467         kdcOptions.set( KdcOptions.POSTDATED );
468         modifier.setKdcOptions( kdcOptions );
469 
470         long now = System.currentTimeMillis();
471 
472         KerberosTime requestedEndTime = new KerberosTime( now + 1 * KerberosTime.DAY );
473         modifier.setTill( requestedEndTime );
474 
475         RequestBody requestBody = modifier.getRequestBody();
476         KdcRequest message = getKdcRequest( tgt, requestBody );
477 
478         handler.messageReceived( session, message );
479 
480         ErrorMessage error = ( ErrorMessage ) session.getMessage();
481         assertEquals( "KDC policy rejects request", 12, error.getErrorCode() );
482     }
483 
484 
485     /**
486      * Tests when postdated tickets are disallowed that requests for
487      * validation of invalid tickets fail with the correct error message.
488      *
489      * @throws Exception
490      */
491     public void testValidateInvalidTicket() throws Exception
492     {
493         // Deny VALIDATE tickets in policy.
494         config.setPostdatedAllowed( false );
495 
496         // Get the mutable ticket part.
497         KerberosPrincipal clientPrincipal = new KerberosPrincipal( "hnelson@EXAMPLE.COM" );
498         EncTicketPartModifier encTicketPartModifier = getTicketArchetype( clientPrincipal );
499 
500         // Make changes to test.
501         encTicketPartModifier.setFlag( TicketFlag.INVALID );
502 
503         // Seal the ticket for the server.
504         KerberosPrincipal serverPrincipal = new KerberosPrincipal( "krbtgt/EXAMPLE.COM@EXAMPLE.COM" );
505         String passPhrase = "randomKey";
506         EncryptionKey serverKey = getEncryptionKey( serverPrincipal, passPhrase );
507         Ticket tgt = getTicket( encTicketPartModifier, serverPrincipal, serverKey );
508 
509         RequestBodyModifier modifier = new RequestBodyModifier();
510         modifier.setServerName( getPrincipalName( "hnelson" ) );
511         modifier.setRealm( "EXAMPLE.COM" );
512         modifier.setEType( config.getEncryptionTypes() );
513         modifier.setNonce( random.nextInt() );
514 
515         KdcOptions kdcOptions = new KdcOptions();
516         kdcOptions.set( KdcOptions.VALIDATE );
517         modifier.setKdcOptions( kdcOptions );
518 
519         long currentTime = System.currentTimeMillis();
520 
521         KerberosTime requestedEndTime = new KerberosTime( currentTime + KerberosTime.DAY );
522         modifier.setTill( requestedEndTime );
523 
524         RequestBody requestBody = modifier.getRequestBody();
525 
526         KdcRequest message = getKdcRequest( tgt, requestBody );
527 
528         handler.messageReceived( session, message );
529 
530         ErrorMessage error = ( ErrorMessage ) session.getMessage();
531         assertEquals( "KDC policy rejects request", 12, error.getErrorCode() );
532     }
533 
534 
535     /**
536      * Tests when renewable tickets are disallowed that requests for
537      * renewal of tickets fail with the correct error message.
538      *
539      * @throws Exception
540      */
541     public void testRenewTicket() throws Exception
542     {
543         // Deny RENEWABLE tickets in policy.
544         config.setRenewableAllowed( false );
545 
546         KerberosPrincipal clientPrincipal = new KerberosPrincipal( "hnelson@EXAMPLE.COM" );
547         KerberosPrincipal serverPrincipal = new KerberosPrincipal( "krbtgt/EXAMPLE.COM@EXAMPLE.COM" );
548         String serverPassword = "randomKey";
549 
550         Ticket tgt = getTgt( clientPrincipal, serverPrincipal, serverPassword );
551 
552         RequestBodyModifier modifier = new RequestBodyModifier();
553         modifier.setServerName( getPrincipalName( "hnelson" ) );
554         modifier.setRealm( "EXAMPLE.COM" );
555         modifier.setEType( config.getEncryptionTypes() );
556         modifier.setNonce( random.nextInt() );
557 
558         KdcOptions kdcOptions = new KdcOptions();
559         kdcOptions.set( KdcOptions.RENEW );
560         modifier.setKdcOptions( kdcOptions );
561 
562         long currentTime = System.currentTimeMillis();
563 
564         KerberosTime requestedEndTime = new KerberosTime( currentTime + KerberosTime.DAY );
565         modifier.setTill( requestedEndTime );
566 
567         RequestBody requestBody = modifier.getRequestBody();
568 
569         KdcRequest message = getKdcRequest( tgt, requestBody );
570 
571         handler.messageReceived( session, message );
572 
573         ErrorMessage error = ( ErrorMessage ) session.getMessage();
574         assertEquals( "KDC policy rejects request", 12, error.getErrorCode() );
575     }
576 
577 
578     /**
579      * Tests when renewable tickets are disallowed that requests for
580      * RENEWABLE-OK tickets fail with the correct error message.
581      *
582      * @throws Exception
583      */
584     public void testRenewableOk() throws Exception
585     {
586         // Deny RENEWABLE tickets in policy.
587         config.setRenewableAllowed( false );
588 
589         // Get the mutable ticket part.
590         KerberosPrincipal clientPrincipal = new KerberosPrincipal( "hnelson@EXAMPLE.COM" );
591         EncTicketPartModifier encTicketPartModifier = getTicketArchetype( clientPrincipal );
592 
593         // Make changes to test.
594         encTicketPartModifier.setFlag( TicketFlag.RENEWABLE );
595 
596         // Seal the ticket for the server.
597         KerberosPrincipal serverPrincipal = new KerberosPrincipal( "krbtgt/EXAMPLE.COM@EXAMPLE.COM" );
598         String passPhrase = "randomKey";
599         EncryptionKey serverKey = getEncryptionKey( serverPrincipal, passPhrase );
600         Ticket tgt = getTicket( encTicketPartModifier, serverPrincipal, serverKey );
601 
602         RequestBodyModifier modifier = new RequestBodyModifier();
603         modifier.setServerName( getPrincipalName( "ldap/ldap.example.com@EXAMPLE.COM" ) );
604         modifier.setRealm( "EXAMPLE.COM" );
605         modifier.setEType( config.getEncryptionTypes() );
606         modifier.setNonce( random.nextInt() );
607 
608         KdcOptions kdcOptions = new KdcOptions();
609         kdcOptions.set( KdcOptions.RENEWABLE_OK );
610         modifier.setKdcOptions( kdcOptions );
611 
612         long now = System.currentTimeMillis();
613 
614         KerberosTime requestedEndTime = new KerberosTime( now + KerberosTime.WEEK );
615         modifier.setTill( requestedEndTime );
616 
617         RequestBody requestBody = modifier.getRequestBody();
618         KdcRequest message = getKdcRequest( tgt, requestBody );
619 
620         handler.messageReceived( session, message );
621 
622         ErrorMessage error = ( ErrorMessage ) session.getMessage();
623         assertEquals( "KDC policy rejects request", 12, error.getErrorCode() );
624     }
625 
626 
627     /**
628      * Tests when renewable tickets are disallowed that requests for
629      * renewable tickets fail with the correct error message.
630      *
631      * @throws Exception
632      */
633     public void testRenewableTicket() throws Exception
634     {
635         // Deny RENEWABLE tickets in policy.
636         config.setRenewableAllowed( false );
637 
638         // Get the mutable ticket part.
639         KerberosPrincipal clientPrincipal = new KerberosPrincipal( "hnelson@EXAMPLE.COM" );
640         EncTicketPartModifier encTicketPartModifier = getTicketArchetype( clientPrincipal );
641 
642         // Make changes to test.
643         encTicketPartModifier.setFlag( TicketFlag.RENEWABLE );
644 
645         // Seal the ticket for the server.
646         KerberosPrincipal serverPrincipal = new KerberosPrincipal( "krbtgt/EXAMPLE.COM@EXAMPLE.COM" );
647         String passPhrase = "randomKey";
648         EncryptionKey serverKey = getEncryptionKey( serverPrincipal, passPhrase );
649         Ticket tgt = getTicket( encTicketPartModifier, serverPrincipal, serverKey );
650 
651         RequestBodyModifier modifier = new RequestBodyModifier();
652         modifier.setServerName( getPrincipalName( "ldap/ldap.example.com@EXAMPLE.COM" ) );
653         modifier.setRealm( "EXAMPLE.COM" );
654         modifier.setEType( config.getEncryptionTypes() );
655         modifier.setNonce( random.nextInt() );
656 
657         KdcOptions kdcOptions = new KdcOptions();
658         kdcOptions.set( KdcOptions.RENEWABLE );
659         modifier.setKdcOptions( kdcOptions );
660 
661         long now = System.currentTimeMillis();
662 
663         KerberosTime requestedEndTime = new KerberosTime( now + 1 * KerberosTime.DAY );
664         modifier.setTill( requestedEndTime );
665 
666         KerberosTime requestedRenewTillTime = new KerberosTime( now + KerberosTime.WEEK / 2 );
667         modifier.setRtime( requestedRenewTillTime );
668 
669         RequestBody requestBody = modifier.getRequestBody();
670         KdcRequest message = getKdcRequest( tgt, requestBody );
671 
672         handler.messageReceived( session, message );
673 
674         ErrorMessage error = ( ErrorMessage ) session.getMessage();
675         assertEquals( "KDC policy rejects request", 12, error.getErrorCode() );
676     }
677 }