1   /*
2    *  Licensed to the Apache Software Foundation (ASF) under one
3    *  or more contributor license agreements.  See the NOTICE file
4    *  distributed with this work for additional information
5    *  regarding copyright ownership.  The ASF licenses this file
6    *  to you under the Apache License, Version 2.0 (the
7    *  "License"); you may not use this file except in compliance
8    *  with the License.  You may obtain a copy of the License at
9    *  
10   *    http://www.apache.org/licenses/LICENSE-2.0
11   *  
12   *  Unless required by applicable law or agreed to in writing,
13   *  software distributed under the License is distributed on an
14   *  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
15   *  KIND, either express or implied.  See the License for the
16   *  specific language governing permissions and limitations
17   *  under the License. 
18   *  
19   */
20  package org.apache.directory.server.kerberos.protocol;
21  
22  
23  import org.apache.directory.server.kerberos.kdc.KdcServer;
24  import org.apache.directory.server.kerberos.shared.KerberosConstants;
25  import org.apache.directory.server.kerberos.shared.KerberosMessageType;
26  import org.apache.directory.server.kerberos.shared.messages.ErrorMessage;
27  import org.apache.directory.server.kerberos.shared.messages.KdcRequest;
28  import org.apache.directory.server.kerberos.shared.messages.value.KdcOptions;
29  import org.apache.directory.server.kerberos.shared.messages.value.KerberosTime;
30  import org.apache.directory.server.kerberos.shared.messages.value.RequestBodyModifier;
31  import org.apache.directory.server.kerberos.shared.store.PrincipalStore;
32  
33  
34  /**
35   * Tests configuration of Authentication Service (AS) policy.
36   *
37   * @author <a href="mailto:dev@directory.apache.org">Apache Directory Project</a>
38   * @version $Rev$, $Date$
39   */
40  public class AuthenticationPolicyTest extends AbstractAuthenticationServiceTest
41  {
42      private KdcServer config;
43      private PrincipalStore store;
44      private KerberosProtocolHandler handler;
45      private DummySession session;
46  
47  
48      /**
49       * Creates a new instance of {@link AuthenticationPolicyTest}.
50       */
51      public AuthenticationPolicyTest()
52      {
53          config = new KdcServer();
54          store = new MapPrincipalStoreImpl();
55          handler = new KerberosProtocolHandler( config, store );
56          session = new DummySession();
57      }
58  
59  
60      /**
61       * Tests when forwardable tickets are disallowed that requests for
62       * forwardable tickets fail with the correct error message.
63       * 
64       * @throws Exception 
65       */
66      public void testForwardableTicket() throws Exception
67      {
68          // Deny FORWARDABLE tickets in policy.
69          config.setPaEncTimestampRequired( false );
70          config.setForwardableAllowed( false );
71  
72          RequestBodyModifier modifier = new RequestBodyModifier();
73          modifier.setClientName( getPrincipalName( "hnelson" ) );
74          modifier.setServerName( getPrincipalName( "krbtgt/EXAMPLE.COM@EXAMPLE.COM" ) );
75          modifier.setRealm( "EXAMPLE.COM" );
76          modifier.setEType( config.getEncryptionTypes() );
77  
78          KdcOptions kdcOptions = new KdcOptions();
79          kdcOptions.set( KdcOptions.FORWARDABLE );
80          modifier.setKdcOptions( kdcOptions );
81  
82          long now = System.currentTimeMillis();
83          KerberosTime requestedEndTime = new KerberosTime( now + 1 * KerberosTime.DAY );
84          modifier.setTill( requestedEndTime );
85  
86          KdcRequest message = new KdcRequest( KerberosConstants.KERBEROS_V5, KerberosMessageType.AS_REQ, null, modifier.getRequestBody() );
87  
88          handler.messageReceived( session, message );
89  
90          ErrorMessage error = ( ErrorMessage ) session.getMessage();
91          assertEquals( "KDC policy rejects request", 12, error.getErrorCode() );
92      }
93  
94  
95      /**
96       * Tests when proxiable tickets are disallowed that requests for
97       * proxiable tickets fail with the correct error message.
98       * 
99       * @throws Exception 
100      */
101     public void testProxiableTicket() throws Exception
102     {
103         // Deny PROXIABLE tickets in policy.
104         config.setPaEncTimestampRequired( false );
105         config.setProxiableAllowed( false );
106 
107         RequestBodyModifier modifier = new RequestBodyModifier();
108         modifier.setClientName( getPrincipalName( "hnelson" ) );
109         modifier.setServerName( getPrincipalName( "krbtgt/EXAMPLE.COM@EXAMPLE.COM" ) );
110         modifier.setRealm( "EXAMPLE.COM" );
111         modifier.setEType( config.getEncryptionTypes() );
112 
113         KdcOptions kdcOptions = new KdcOptions();
114         kdcOptions.set( KdcOptions.PROXIABLE );
115         modifier.setKdcOptions( kdcOptions );
116 
117         long now = System.currentTimeMillis();
118         KerberosTime requestedEndTime = new KerberosTime( now + 1 * KerberosTime.DAY );
119         modifier.setTill( requestedEndTime );
120 
121         KdcRequest message = new KdcRequest( KerberosConstants.KERBEROS_V5, KerberosMessageType.AS_REQ, null, modifier.getRequestBody() );
122 
123         handler.messageReceived( session, message );
124 
125         ErrorMessage error = ( ErrorMessage ) session.getMessage();
126         assertEquals( "KDC policy rejects request", 12, error.getErrorCode() );
127     }
128 
129 
130     /**
131      * Tests when postdated tickets are disallowed that requests for
132      * ALLOW-POSTDATE tickets fail with the correct error message.
133      * 
134      * @throws Exception 
135      */
136     public void testAllowPostdate() throws Exception
137     {
138         // Deny POSTDATED tickets in policy.
139         config.setPaEncTimestampRequired( false );
140         config.setPostdatedAllowed( false );
141 
142         RequestBodyModifier modifier = new RequestBodyModifier();
143         modifier.setClientName( getPrincipalName( "hnelson" ) );
144         modifier.setServerName( getPrincipalName( "krbtgt/EXAMPLE.COM@EXAMPLE.COM" ) );
145         modifier.setRealm( "EXAMPLE.COM" );
146         modifier.setEType( config.getEncryptionTypes() );
147 
148         KdcOptions kdcOptions = new KdcOptions();
149         kdcOptions.set( KdcOptions.ALLOW_POSTDATE );
150         modifier.setKdcOptions( kdcOptions );
151 
152         long now = System.currentTimeMillis();
153         KerberosTime requestedEndTime = new KerberosTime( now + 1 * KerberosTime.DAY );
154         modifier.setTill( requestedEndTime );
155 
156         KdcRequest message = new KdcRequest( KerberosConstants.KERBEROS_V5, KerberosMessageType.AS_REQ, null, modifier.getRequestBody() );
157 
158         handler.messageReceived( session, message );
159 
160         ErrorMessage error = ( ErrorMessage ) session.getMessage();
161         assertEquals( "KDC policy rejects request", 12, error.getErrorCode() );
162     }
163 
164 
165     /**
166      * Tests when postdated tickets are disallowed that requests for
167      * postdated tickets fail with the correct error message.
168      * 
169      * @throws Exception 
170      */
171     public void testPostdate() throws Exception
172     {
173         // Deny POSTDATED tickets in policy.
174         config.setPaEncTimestampRequired( false );
175         config.setPostdatedAllowed( false );
176 
177         RequestBodyModifier modifier = new RequestBodyModifier();
178         modifier.setClientName( getPrincipalName( "hnelson" ) );
179         modifier.setServerName( getPrincipalName( "krbtgt/EXAMPLE.COM@EXAMPLE.COM" ) );
180         modifier.setRealm( "EXAMPLE.COM" );
181         modifier.setEType( config.getEncryptionTypes() );
182 
183         KdcOptions kdcOptions = new KdcOptions();
184         kdcOptions.set( KdcOptions.POSTDATED );
185         modifier.setKdcOptions( kdcOptions );
186 
187         long now = System.currentTimeMillis();
188         KerberosTime requestedEndTime = new KerberosTime( now + 1 * KerberosTime.DAY );
189         modifier.setTill( requestedEndTime );
190 
191         KdcRequest message = new KdcRequest( KerberosConstants.KERBEROS_V5, KerberosMessageType.AS_REQ, null, modifier.getRequestBody() );
192 
193         handler.messageReceived( session, message );
194 
195         ErrorMessage error = ( ErrorMessage ) session.getMessage();
196         assertEquals( "KDC policy rejects request", 12, error.getErrorCode() );
197     }
198 
199 
200     /**
201      * Tests when renewable tickets are disallowed that requests for
202      * RENEWABLE-OK tickets fail with the correct error message.
203      * 
204      * @throws Exception 
205      */
206     public void testRenewableOk() throws Exception
207     {
208         // Deny RENEWABLE tickets in policy.
209         config.setPaEncTimestampRequired( false );
210         config.setRenewableAllowed( false );
211 
212         RequestBodyModifier modifier = new RequestBodyModifier();
213         modifier.setClientName( getPrincipalName( "hnelson" ) );
214         modifier.setServerName( getPrincipalName( "krbtgt/EXAMPLE.COM@EXAMPLE.COM" ) );
215         modifier.setRealm( "EXAMPLE.COM" );
216         modifier.setEType( config.getEncryptionTypes() );
217 
218         KdcOptions kdcOptions = new KdcOptions();
219         kdcOptions.set( KdcOptions.RENEWABLE_OK );
220         modifier.setKdcOptions( kdcOptions );
221 
222         long now = System.currentTimeMillis();
223         KerberosTime requestedEndTime = new KerberosTime( now + KerberosTime.WEEK );
224         modifier.setTill( requestedEndTime );
225 
226         KdcRequest message = new KdcRequest( KerberosConstants.KERBEROS_V5, KerberosMessageType.AS_REQ, null, modifier.getRequestBody() );
227 
228         handler.messageReceived( session, message );
229 
230         ErrorMessage error = ( ErrorMessage ) session.getMessage();
231         assertEquals( "KDC policy rejects request", 12, error.getErrorCode() );
232     }
233 
234 
235     /**
236      * Tests when renewable tickets are disallowed that requests for
237      * renewable tickets fail with the correct error message.
238      * 
239      * @throws Exception 
240      */
241     public void testRenewableTicket() throws Exception
242     {
243         // Deny RENEWABLE tickets in policy.
244         config.setPaEncTimestampRequired( false );
245         config.setRenewableAllowed( false );
246 
247         RequestBodyModifier modifier = new RequestBodyModifier();
248         modifier.setClientName( getPrincipalName( "hnelson" ) );
249         modifier.setServerName( getPrincipalName( "krbtgt/EXAMPLE.COM@EXAMPLE.COM" ) );
250         modifier.setRealm( "EXAMPLE.COM" );
251         modifier.setEType( config.getEncryptionTypes() );
252 
253         KdcOptions kdcOptions = new KdcOptions();
254         kdcOptions.set( KdcOptions.RENEWABLE );
255         modifier.setKdcOptions( kdcOptions );
256 
257         long now = System.currentTimeMillis();
258         KerberosTime requestedEndTime = new KerberosTime( now + 1 * KerberosTime.DAY );
259         modifier.setTill( requestedEndTime );
260 
261         KerberosTime requestedRenewTillTime = new KerberosTime( now + KerberosTime.WEEK / 2 );
262         modifier.setRtime( requestedRenewTillTime );
263 
264         KdcRequest message = new KdcRequest( KerberosConstants.KERBEROS_V5, KerberosMessageType.AS_REQ, null, modifier.getRequestBody() );
265 
266         handler.messageReceived( session, message );
267 
268         ErrorMessage error = ( ErrorMessage ) session.getMessage();
269         assertEquals( "KDC policy rejects request", 12, error.getErrorCode() );
270     }
271 
272 
273     /**
274      * Tests when empty addresses are disallowed that requests with no addresses
275      * fail with the correct error message.
276      * 
277      * @throws Exception 
278      */
279     public void testEmptyAddresses() throws Exception
280     {
281         // Deny empty addresses in policy.
282         config.setPaEncTimestampRequired( false );
283         config.setEmptyAddressesAllowed( false );
284 
285         RequestBodyModifier modifier = new RequestBodyModifier();
286         modifier.setClientName( getPrincipalName( "hnelson" ) );
287         modifier.setServerName( getPrincipalName( "krbtgt/EXAMPLE.COM@EXAMPLE.COM" ) );
288         modifier.setRealm( "EXAMPLE.COM" );
289         modifier.setEType( config.getEncryptionTypes() );
290 
291         KdcOptions kdcOptions = new KdcOptions();
292         modifier.setKdcOptions( kdcOptions );
293 
294         long now = System.currentTimeMillis();
295         KerberosTime requestedEndTime = new KerberosTime( now + 1 * KerberosTime.DAY );
296         modifier.setTill( requestedEndTime );
297 
298         KerberosTime requestedRenewTillTime = new KerberosTime( now + KerberosTime.WEEK / 2 );
299         modifier.setRtime( requestedRenewTillTime );
300 
301         KdcRequest message = new KdcRequest( KerberosConstants.KERBEROS_V5, KerberosMessageType.AS_REQ, null, modifier.getRequestBody() );
302 
303         handler.messageReceived( session, message );
304 
305         ErrorMessage error = ( ErrorMessage ) session.getMessage();
306         assertEquals( "KDC policy rejects request", 12, error.getErrorCode() );
307     }
308 }