1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20 package org.apache.directory.server.kerberos.protocol;
21
22
23 import org.apache.directory.server.kerberos.kdc.KdcServer;
24 import org.apache.directory.server.kerberos.shared.KerberosConstants;
25 import org.apache.directory.server.kerberos.shared.KerberosMessageType;
26 import org.apache.directory.server.kerberos.shared.messages.ErrorMessage;
27 import org.apache.directory.server.kerberos.shared.messages.KdcRequest;
28 import org.apache.directory.server.kerberos.shared.messages.value.KdcOptions;
29 import org.apache.directory.server.kerberos.shared.messages.value.KerberosTime;
30 import org.apache.directory.server.kerberos.shared.messages.value.RequestBodyModifier;
31 import org.apache.directory.server.kerberos.shared.store.PrincipalStore;
32
33
34
35
36
37
38
39
40 public class AuthenticationPolicyTest extends AbstractAuthenticationServiceTest
41 {
42 private KdcServer config;
43 private PrincipalStore store;
44 private KerberosProtocolHandler handler;
45 private DummySession session;
46
47
48
49
50
51 public AuthenticationPolicyTest()
52 {
53 config = new KdcServer();
54 store = new MapPrincipalStoreImpl();
55 handler = new KerberosProtocolHandler( config, store );
56 session = new DummySession();
57 }
58
59
60
61
62
63
64
65
66 public void testForwardableTicket() throws Exception
67 {
68
69 config.setPaEncTimestampRequired( false );
70 config.setForwardableAllowed( false );
71
72 RequestBodyModifier modifier = new RequestBodyModifier();
73 modifier.setClientName( getPrincipalName( "hnelson" ) );
74 modifier.setServerName( getPrincipalName( "krbtgt/EXAMPLE.COM@EXAMPLE.COM" ) );
75 modifier.setRealm( "EXAMPLE.COM" );
76 modifier.setEType( config.getEncryptionTypes() );
77
78 KdcOptions kdcOptions = new KdcOptions();
79 kdcOptions.set( KdcOptions.FORWARDABLE );
80 modifier.setKdcOptions( kdcOptions );
81
82 long now = System.currentTimeMillis();
83 KerberosTime requestedEndTime = new KerberosTime( now + 1 * KerberosTime.DAY );
84 modifier.setTill( requestedEndTime );
85
86 KdcRequest message = new KdcRequest( KerberosConstants.KERBEROS_V5, KerberosMessageType.AS_REQ, null, modifier.getRequestBody() );
87
88 handler.messageReceived( session, message );
89
90 ErrorMessage error = ( ErrorMessage ) session.getMessage();
91 assertEquals( "KDC policy rejects request", 12, error.getErrorCode() );
92 }
93
94
95
96
97
98
99
100
101 public void testProxiableTicket() throws Exception
102 {
103
104 config.setPaEncTimestampRequired( false );
105 config.setProxiableAllowed( false );
106
107 RequestBodyModifier modifier = new RequestBodyModifier();
108 modifier.setClientName( getPrincipalName( "hnelson" ) );
109 modifier.setServerName( getPrincipalName( "krbtgt/EXAMPLE.COM@EXAMPLE.COM" ) );
110 modifier.setRealm( "EXAMPLE.COM" );
111 modifier.setEType( config.getEncryptionTypes() );
112
113 KdcOptions kdcOptions = new KdcOptions();
114 kdcOptions.set( KdcOptions.PROXIABLE );
115 modifier.setKdcOptions( kdcOptions );
116
117 long now = System.currentTimeMillis();
118 KerberosTime requestedEndTime = new KerberosTime( now + 1 * KerberosTime.DAY );
119 modifier.setTill( requestedEndTime );
120
121 KdcRequest message = new KdcRequest( KerberosConstants.KERBEROS_V5, KerberosMessageType.AS_REQ, null, modifier.getRequestBody() );
122
123 handler.messageReceived( session, message );
124
125 ErrorMessage error = ( ErrorMessage ) session.getMessage();
126 assertEquals( "KDC policy rejects request", 12, error.getErrorCode() );
127 }
128
129
130
131
132
133
134
135
136 public void testAllowPostdate() throws Exception
137 {
138
139 config.setPaEncTimestampRequired( false );
140 config.setPostdatedAllowed( false );
141
142 RequestBodyModifier modifier = new RequestBodyModifier();
143 modifier.setClientName( getPrincipalName( "hnelson" ) );
144 modifier.setServerName( getPrincipalName( "krbtgt/EXAMPLE.COM@EXAMPLE.COM" ) );
145 modifier.setRealm( "EXAMPLE.COM" );
146 modifier.setEType( config.getEncryptionTypes() );
147
148 KdcOptions kdcOptions = new KdcOptions();
149 kdcOptions.set( KdcOptions.ALLOW_POSTDATE );
150 modifier.setKdcOptions( kdcOptions );
151
152 long now = System.currentTimeMillis();
153 KerberosTime requestedEndTime = new KerberosTime( now + 1 * KerberosTime.DAY );
154 modifier.setTill( requestedEndTime );
155
156 KdcRequest message = new KdcRequest( KerberosConstants.KERBEROS_V5, KerberosMessageType.AS_REQ, null, modifier.getRequestBody() );
157
158 handler.messageReceived( session, message );
159
160 ErrorMessage error = ( ErrorMessage ) session.getMessage();
161 assertEquals( "KDC policy rejects request", 12, error.getErrorCode() );
162 }
163
164
165
166
167
168
169
170
171 public void testPostdate() throws Exception
172 {
173
174 config.setPaEncTimestampRequired( false );
175 config.setPostdatedAllowed( false );
176
177 RequestBodyModifier modifier = new RequestBodyModifier();
178 modifier.setClientName( getPrincipalName( "hnelson" ) );
179 modifier.setServerName( getPrincipalName( "krbtgt/EXAMPLE.COM@EXAMPLE.COM" ) );
180 modifier.setRealm( "EXAMPLE.COM" );
181 modifier.setEType( config.getEncryptionTypes() );
182
183 KdcOptions kdcOptions = new KdcOptions();
184 kdcOptions.set( KdcOptions.POSTDATED );
185 modifier.setKdcOptions( kdcOptions );
186
187 long now = System.currentTimeMillis();
188 KerberosTime requestedEndTime = new KerberosTime( now + 1 * KerberosTime.DAY );
189 modifier.setTill( requestedEndTime );
190
191 KdcRequest message = new KdcRequest( KerberosConstants.KERBEROS_V5, KerberosMessageType.AS_REQ, null, modifier.getRequestBody() );
192
193 handler.messageReceived( session, message );
194
195 ErrorMessage error = ( ErrorMessage ) session.getMessage();
196 assertEquals( "KDC policy rejects request", 12, error.getErrorCode() );
197 }
198
199
200
201
202
203
204
205
206 public void testRenewableOk() throws Exception
207 {
208
209 config.setPaEncTimestampRequired( false );
210 config.setRenewableAllowed( false );
211
212 RequestBodyModifier modifier = new RequestBodyModifier();
213 modifier.setClientName( getPrincipalName( "hnelson" ) );
214 modifier.setServerName( getPrincipalName( "krbtgt/EXAMPLE.COM@EXAMPLE.COM" ) );
215 modifier.setRealm( "EXAMPLE.COM" );
216 modifier.setEType( config.getEncryptionTypes() );
217
218 KdcOptions kdcOptions = new KdcOptions();
219 kdcOptions.set( KdcOptions.RENEWABLE_OK );
220 modifier.setKdcOptions( kdcOptions );
221
222 long now = System.currentTimeMillis();
223 KerberosTime requestedEndTime = new KerberosTime( now + KerberosTime.WEEK );
224 modifier.setTill( requestedEndTime );
225
226 KdcRequest message = new KdcRequest( KerberosConstants.KERBEROS_V5, KerberosMessageType.AS_REQ, null, modifier.getRequestBody() );
227
228 handler.messageReceived( session, message );
229
230 ErrorMessage error = ( ErrorMessage ) session.getMessage();
231 assertEquals( "KDC policy rejects request", 12, error.getErrorCode() );
232 }
233
234
235
236
237
238
239
240
241 public void testRenewableTicket() throws Exception
242 {
243
244 config.setPaEncTimestampRequired( false );
245 config.setRenewableAllowed( false );
246
247 RequestBodyModifier modifier = new RequestBodyModifier();
248 modifier.setClientName( getPrincipalName( "hnelson" ) );
249 modifier.setServerName( getPrincipalName( "krbtgt/EXAMPLE.COM@EXAMPLE.COM" ) );
250 modifier.setRealm( "EXAMPLE.COM" );
251 modifier.setEType( config.getEncryptionTypes() );
252
253 KdcOptions kdcOptions = new KdcOptions();
254 kdcOptions.set( KdcOptions.RENEWABLE );
255 modifier.setKdcOptions( kdcOptions );
256
257 long now = System.currentTimeMillis();
258 KerberosTime requestedEndTime = new KerberosTime( now + 1 * KerberosTime.DAY );
259 modifier.setTill( requestedEndTime );
260
261 KerberosTime requestedRenewTillTime = new KerberosTime( now + KerberosTime.WEEK / 2 );
262 modifier.setRtime( requestedRenewTillTime );
263
264 KdcRequest message = new KdcRequest( KerberosConstants.KERBEROS_V5, KerberosMessageType.AS_REQ, null, modifier.getRequestBody() );
265
266 handler.messageReceived( session, message );
267
268 ErrorMessage error = ( ErrorMessage ) session.getMessage();
269 assertEquals( "KDC policy rejects request", 12, error.getErrorCode() );
270 }
271
272
273
274
275
276
277
278
279 public void testEmptyAddresses() throws Exception
280 {
281
282 config.setPaEncTimestampRequired( false );
283 config.setEmptyAddressesAllowed( false );
284
285 RequestBodyModifier modifier = new RequestBodyModifier();
286 modifier.setClientName( getPrincipalName( "hnelson" ) );
287 modifier.setServerName( getPrincipalName( "krbtgt/EXAMPLE.COM@EXAMPLE.COM" ) );
288 modifier.setRealm( "EXAMPLE.COM" );
289 modifier.setEType( config.getEncryptionTypes() );
290
291 KdcOptions kdcOptions = new KdcOptions();
292 modifier.setKdcOptions( kdcOptions );
293
294 long now = System.currentTimeMillis();
295 KerberosTime requestedEndTime = new KerberosTime( now + 1 * KerberosTime.DAY );
296 modifier.setTill( requestedEndTime );
297
298 KerberosTime requestedRenewTillTime = new KerberosTime( now + KerberosTime.WEEK / 2 );
299 modifier.setRtime( requestedRenewTillTime );
300
301 KdcRequest message = new KdcRequest( KerberosConstants.KERBEROS_V5, KerberosMessageType.AS_REQ, null, modifier.getRequestBody() );
302
303 handler.messageReceived( session, message );
304
305 ErrorMessage error = ( ErrorMessage ) session.getMessage();
306 assertEquals( "KDC policy rejects request", 12, error.getErrorCode() );
307 }
308 }