changeset 5645:0678af55d3db

7172701: KDC tests cleanup Reviewed-by: xuelei
author weijun
date Tue, 05 Jun 2012 17:11:26 +0800
parents 4573662cb28c
children 5ea56641276c
files test/sun/security/krb5/auto/KDC.java test/sun/security/krb5/auto/OkAsDelegate.java test/sun/security/krb5/auto/OkAsDelegateXRealm.java test/sun/security/krb5/auto/ok-as-delegate-xrealm.sh test/sun/security/krb5/auto/ok-as-delegate.sh
diffstat 5 files changed, 59 insertions(+), 263 deletions(-) [+]
line wrap: on
line diff
--- a/test/sun/security/krb5/auto/KDC.java	Tue Jun 05 10:16:22 2012 +0800
+++ b/test/sun/security/krb5/auto/KDC.java	Tue Jun 05 17:11:26 2012 +0800
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2008, 2011, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2008, 2012, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -67,10 +67,6 @@
  * <ul>
  * <li>test.kdc.save.ccache
  * </ul>
- * Support policies:
- * <ul>
- * <li>ok-as-delegate
- * </ul>
  * Issues and TODOs:
  * <ol>
  * <li> Generates krb5.conf to be used on another machine, currently the kdc is
@@ -178,6 +174,10 @@
          * Multiple ETYPE-INFO-ENTRY with same etype but different salt
          */
         DUP_ETYPE,
+        /**
+         * What backend server can be delegated to
+         */
+        OK_AS_DELEGATE,
     };
 
     static {
@@ -232,7 +232,11 @@
      * @param obj the value
      */
     public void setOption(Option key, Object value) {
-        options.put(key, value);
+        if (value == null) {
+            options.remove(key);
+        } else {
+            options.put(key, value);
+        }
     }
 
     /**
@@ -579,53 +583,6 @@
         }
     }
 
-    private Map<String,String> policies = new HashMap<>();
-
-    public void setPolicy(String rule, String value) {
-        if (value == null) {
-            policies.remove(rule);
-        } else {
-            policies.put(rule, value);
-        }
-    }
-    /**
-     * If the provided client/server pair matches a rule
-     *
-     * A system property named test.kdc.policy.RULE will be consulted.
-     * If it's unset, returns false. If its value is "", any pair is
-     * matched. Otherwise, it should contains the server name matched.
-     *
-     * TODO: client name is not used currently.
-     *
-     * @param c client name
-     * @param s server name
-     * @param rule rule name
-     * @return if a match is found
-     */
-    private boolean configMatch(String c, String s, String rule) {
-        String policy = policies.get(rule);
-        boolean result = false;
-        if (policy == null) {
-            result = false;
-        } else if (policy.length() == 0) {
-            result = true;
-        } else {
-            String[] names = policy.split("\\s+");
-            for (String name: names) {
-                if (name.equals(s)) {
-                    result = true;
-                    break;
-                }
-            }
-        }
-        if (result) {
-            System.out.printf(">>>> Policy match result (%s vs %s on %s) %b\n",
-                    c, s, rule, result);
-        }
-        return result;
-    }
-
-
     /**
      * Processes an incoming request and generates a response.
      * @param in the request
@@ -724,7 +681,10 @@
                 bFlags[Krb5.TKT_OPTS_MAY_POSTDATE] = true;
             }
 
-            if (configMatch("", service.getNameString(), "ok-as-delegate")) {
+            String okAsDelegate = (String)options.get(Option.OK_AS_DELEGATE);
+            if (okAsDelegate != null && (
+                    okAsDelegate.isEmpty() ||
+                    okAsDelegate.contains(service.getNameString()))) {
                 bFlags[Krb5.TKT_OPTS_DELEGATE] = true;
             }
             bFlags[Krb5.TKT_OPTS_INITIAL] = true;
--- a/test/sun/security/krb5/auto/OkAsDelegate.java	Tue Jun 05 10:16:22 2012 +0800
+++ b/test/sun/security/krb5/auto/OkAsDelegate.java	Tue Jun 05 17:11:26 2012 +0800
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2009, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2009, 2012, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -21,6 +21,32 @@
  * questions.
  */
 
+/*
+ * @test
+ * @bug 6853328 7172701
+ * @run main/othervm OkAsDelegate false true true false false false
+ *      FORWARDABLE ticket not allowed, always fail
+ * @run main/othervm OkAsDelegate true false false false false false
+ *      Service ticket no OK-AS-DELEGATE. Request nothing, gain nothing
+ * @run main/othervm OkAsDelegate true false true false false false
+ *      Service ticket no OK-AS-DELEGATE. Request deleg policy, gain nothing
+ * @run main/othervm OkAsDelegate true true false true false true
+ *      Service ticket no OK-AS-DELEGATE. Request deleg, granted
+ * @run main/othervm OkAsDelegate true true true true false true
+ *      Service ticket no OK-AS-DELEGATE. Request deleg and deleg policy, granted, with info not by policy
+ * @run main/othervm -Dtest.kdc.policy.ok-as-delegate OkAsDelegate true false true true true true
+ *      Service ticket has OK-AS-DELEGATE. Request deleg policy, granted
+ * @run main/othervm -Dtest.kdc.policy.ok-as-delegate OkAsDelegate true true true true true true
+ *      Service ticket has OK-AS-DELEGATE. granted, with info by policy
+ * @run main/othervm -Dtest.spnego OkAsDelegate false true true false false false
+ * @run main/othervm -Dtest.spnego OkAsDelegate true false false false false false
+ * @run main/othervm -Dtest.spnego OkAsDelegate true false true false false false
+ * @run main/othervm -Dtest.spnego OkAsDelegate true true false true false true
+ * @run main/othervm -Dtest.spnego OkAsDelegate true true true true false true
+ * @run main/othervm -Dtest.spnego -Dtest.kdc.policy.ok-as-delegate OkAsDelegate true false true true true true
+ * @run main/othervm -Dtest.spnego -Dtest.kdc.policy.ok-as-delegate OkAsDelegate true true true true true true
+ * @summary Support OK-AS-DELEGATE flag
+ */
 import com.sun.security.jgss.ExtendedGSSContext;
 import org.ietf.jgss.GSSCredential;
 import org.ietf.jgss.GSSException;
@@ -52,7 +78,7 @@
             boolean delegated
             ) throws Exception {
         OneKDC kdc = new OneKDC(null);
-        kdc.setPolicy("ok-as-delegate",
+        kdc.setOption(KDC.Option.OK_AS_DELEGATE,
                 System.getProperty("test.kdc.policy.ok-as-delegate"));
         kdc.writeJAASConf();
         if (!forwardable) {
--- a/test/sun/security/krb5/auto/OkAsDelegateXRealm.java	Tue Jun 05 10:16:22 2012 +0800
+++ b/test/sun/security/krb5/auto/OkAsDelegateXRealm.java	Tue Jun 05 17:11:26 2012 +0800
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2009, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2009, 2012, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -21,8 +21,19 @@
  * questions.
  */
 
-import com.sun.security.jgss.ExtendedGSSContext;
-import java.io.File;
+/*
+ * @test
+ * @bug 6853328 7172701
+ * @run main/othervm OkAsDelegateXRealm false
+ *      KDC no OK-AS-DELEGATE, fail
+ * @run main/othervm -Dtest.kdc.policy.ok-as-delegate OkAsDelegateXRealm true
+ *      KDC set OK-AS-DELEGATE for all, succeed
+ * @run main/othervm -Dtest.kdc.policy.ok-as-delegate=host/host.r3.local OkAsDelegateXRealm false
+ *      KDC set OK-AS-DELEGATE for host/host.r3.local only, fail
+ * @run main/othervm -Dtest.kdc.policy.ok-as-delegate=host/host.r3.local,krbtgt/R2,krbtgt/R3 OkAsDelegateXRealm true
+ *      KDC set OK-AS-DELEGATE for all three, succeed
+ * @summary Support OK-AS-DELEGATE flag
+ */
 import java.io.FileOutputStream;
 import java.io.IOException;
 import java.security.Security;
@@ -31,11 +42,7 @@
 import javax.security.auth.callback.NameCallback;
 import javax.security.auth.callback.PasswordCallback;
 import javax.security.auth.callback.UnsupportedCallbackException;
-import org.ietf.jgss.GSSContext;
-import org.ietf.jgss.GSSCredential;
 import org.ietf.jgss.GSSException;
-import org.ietf.jgss.GSSManager;
-import org.ietf.jgss.GSSName;
 import sun.security.jgss.GSSUtil;
 import sun.security.krb5.Config;
 
@@ -50,21 +57,21 @@
         // Create and start the KDCs. Here we have 3 realms: R1, R2 and R3.
         // R1 is trusted by R2, and R2 trusted by R3.
         KDC kdc1 = KDC.create("R1");
-        kdc1.setPolicy("ok-as-delegate",
+        kdc1.setOption(KDC.Option.OK_AS_DELEGATE,
                 System.getProperty("test.kdc.policy.ok-as-delegate"));
         kdc1.addPrincipal("dummy", "bogus".toCharArray());
         kdc1.addPrincipalRandKey("krbtgt/R1");
         kdc1.addPrincipal("krbtgt/R2@R1", "r1->r2".toCharArray());
 
         KDC kdc2 = KDC.create("R2");
-        kdc2.setPolicy("ok-as-delegate",
+        kdc2.setOption(KDC.Option.OK_AS_DELEGATE,
                 System.getProperty("test.kdc.policy.ok-as-delegate"));
         kdc2.addPrincipalRandKey("krbtgt/R2");
         kdc2.addPrincipal("krbtgt/R2@R1", "r1->r2".toCharArray());
         kdc2.addPrincipal("krbtgt/R3@R2", "r2->r3".toCharArray());
 
         KDC kdc3 = KDC.create("R3");
-        kdc3.setPolicy("ok-as-delegate",
+        kdc3.setOption(KDC.Option.OK_AS_DELEGATE,
                 System.getProperty("test.kdc.policy.ok-as-delegate"));
         kdc3.addPrincipalRandKey("krbtgt/R3");
         kdc3.addPrincipal("krbtgt/R3@R2", "r2->r3".toCharArray());
--- a/test/sun/security/krb5/auto/ok-as-delegate-xrealm.sh	Tue Jun 05 10:16:22 2012 +0800
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,79 +0,0 @@
-#
-# Copyright (c) 2009, Oracle and/or its affiliates. All rights reserved.
-# DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
-#
-# This code is free software; you can redistribute it and/or modify it
-# under the terms of the GNU General Public License version 2 only, as
-# published by the Free Software Foundation.
-#
-# This code is distributed in the hope that it will be useful, but WITHOUT
-# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
-# FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
-# version 2 for more details (a copy is included in the LICENSE file that
-# accompanied this code).
-#
-# You should have received a copy of the GNU General Public License version
-# 2 along with this work; if not, write to the Free Software Foundation,
-# Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
-#
-# Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
-# or visit www.oracle.com if you need additional information or have any
-# questions.
-#
-
-# @test
-# @bug 6853328
-# @summary Support OK-AS-DELEGATE flag
-# @run shell/timeout=600 ok-as-delegate-xrealm.sh
-#
-
-if [ "${TESTSRC}" = "" ] ; then
-  TESTSRC=`dirname $0`
-fi
-
-if [ "${TESTJAVA}" = "" ] ; then
-  JAVAC_CMD=`which javac`
-  TESTJAVA=`dirname $JAVAC_CMD`/..
-fi
-
-# set platform-dependent variables
-OS=`uname -s`
-case "$OS" in
-  Windows_* )
-    FS="\\"
-    SEP=";"
-    ;;
-  CYGWIN* )
-    FS="/"
-    SEP=";"
-    ;;
-  * )
-    FS="/"
-    SEP=":"
-    ;;
-esac
-
-${TESTJAVA}${FS}bin${FS}javac -XDignore.symbol.file -d . \
-    ${TESTSRC}${FS}OkAsDelegateXRealm.java \
-    ${TESTSRC}${FS}KDC.java \
-    ${TESTSRC}${FS}OneKDC.java \
-    ${TESTSRC}${FS}Action.java \
-    ${TESTSRC}${FS}Context.java \
-    || exit 10
-
-# Add $TESTSRC to classpath so that customized nameservice can be used
-J="${TESTJAVA}${FS}bin${FS}java -cp $TESTSRC${SEP}."
-
-# KDC no OK-AS-DELEGATE, fail
-$J OkAsDelegateXRealm false || exit 1
-
-# KDC set OK-AS-DELEGATE for all, succeed
-$J -Dtest.kdc.policy.ok-as-delegate OkAsDelegateXRealm true || exit 2
-
-# KDC set OK-AS-DELEGATE for host/host.r3.local only, fail
-$J -Dtest.kdc.policy.ok-as-delegate=host/host.r3.local OkAsDelegateXRealm false || exit 3
-
-# KDC set OK-AS-DELEGATE for all, succeed
-$J "-Dtest.kdc.policy.ok-as-delegate=host/host.r3.local krbtgt/R2 krbtgt/R3" OkAsDelegateXRealm true || exit 4
-
-exit 0
--- a/test/sun/security/krb5/auto/ok-as-delegate.sh	Tue Jun 05 10:16:22 2012 +0800
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,118 +0,0 @@
-#
-# Copyright (c) 2009, Oracle and/or its affiliates. All rights reserved.
-# DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
-#
-# This code is free software; you can redistribute it and/or modify it
-# under the terms of the GNU General Public License version 2 only, as
-# published by the Free Software Foundation.
-#
-# This code is distributed in the hope that it will be useful, but WITHOUT
-# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
-# FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
-# version 2 for more details (a copy is included in the LICENSE file that
-# accompanied this code).
-#
-# You should have received a copy of the GNU General Public License version
-# 2 along with this work; if not, write to the Free Software Foundation,
-# Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
-#
-# Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
-# or visit www.oracle.com if you need additional information or have any
-# questions.
-#
-
-# @test
-# @bug 6853328
-# @summary Support OK-AS-DELEGATE flag
-# @run shell/timeout=600 ok-as-delegate.sh
-#
-
-if [ "${TESTSRC}" = "" ] ; then
-  TESTSRC=`dirname $0`
-fi
-
-if [ "${TESTJAVA}" = "" ] ; then
-  JAVAC_CMD=`which javac`
-  TESTJAVA=`dirname $JAVAC_CMD`/..
-fi
-
-# set platform-dependent variables
-OS=`uname -s`
-case "$OS" in
-  Windows_* )
-    FS="\\"
-    SEP=";"
-    ;;
-  CYGWIN* )
-    FS="/"
-    SEP=";"
-    ;;
-  * )
-    FS="/"
-    SEP=":"
-    ;;
-esac
-
-${TESTJAVA}${FS}bin${FS}javac -XDignore.symbol.file -d . \
-    ${TESTSRC}${FS}OkAsDelegate.java \
-    ${TESTSRC}${FS}KDC.java \
-    ${TESTSRC}${FS}OneKDC.java \
-    ${TESTSRC}${FS}Action.java \
-    ${TESTSRC}${FS}Context.java \
-    || exit 10
-
-# Testing Kerberos 5
-
-# Add $TESTSRC to classpath so that customized nameservice can be used
-J="${TESTJAVA}${FS}bin${FS}java -cp $TESTSRC${SEP}. OkAsDelegate"
-JOK="${TESTJAVA}${FS}bin${FS}java -cp $TESTSRC${SEP}. -Dtest.kdc.policy.ok-as-delegate OkAsDelegate"
-
-# FORWARDABLE ticket not allowed, always fail
-$J false true true false false false || exit 1
-
-# Service ticket no OK-AS-DELEGATE
-
-# Request nothing, gain nothing
-$J true false false false false false || exit 2
-# Request deleg policy, gain nothing
-$J true false true false false false || exit 3
-# Request deleg, granted
-$J true true false true false true || exit 4
-# Request deleg and deleg policy, granted, with info not by policy
-$J true true true true false true || exit 5
-
-# Service ticket has OK-AS-DELEGATE
-
-# Request deleg policy, granted
-$JOK true false true true true true || exit 6
-# Request deleg and deleg policy, granted, with info by policy
-$JOK true true true true true true || exit 7
-
-# Testing SPNEGO
-
-# Add $TESTSRC to classpath so that customized nameservice can be used
-J="${TESTJAVA}${FS}bin${FS}java -cp $TESTSRC${SEP}. -Dtest.spnego OkAsDelegate"
-JOK="${TESTJAVA}${FS}bin${FS}java -cp $TESTSRC${SEP}. -Dtest.spnego -Dtest.kdc.policy.ok-as-delegate OkAsDelegate"
-
-# FORWARDABLE ticket not allowed, always fail
-$J false true true false false false || exit 11
-
-# Service ticket no OK-AS-DELEGATE
-
-# Request nothing, gain nothing
-$J true false false false false false || exit 12
-# Request deleg policy, gain nothing
-$J true false true false false false || exit 13
-# Request deleg, granted
-$J true true false true false true || exit 14
-# Request deleg and deleg policy, granted, with info not by policy
-$J true true true true false true || exit 15
-
-# Service ticket has OK-AS-DELEGATE
-
-# Request deleg policy, granted
-$JOK true false true true true true || exit 16
-# Request deleg and deleg policy, granted, with info by policy
-$JOK true true true true true true || exit 17
-
-exit 0