Example 1 with KerberosToken
use of com.yahoo.athenz.auth.token.KerberosToken in project athenz by yahoo.
the class KerberosAuthority method authenticate.
/**
* Verify the credentials and if valid return the corresponding Principal, null otherwise.
* @param creds the credentials (i.e. cookie, token, secret) that will identify the principal.
* @param remoteAddr remote IP address of the connection
* @param httpMethod the http method for this request (e.g. GET, PUT, etc)
* @param errMsg will contain error message if authenticate fails
* @return the Principal for the credentials, or null if the credentials are not valid.
*/
@Override
public Principal authenticate(String creds, String remoteAddr, String httpMethod, StringBuilder errMsg) {
KerberosToken token = null;
try {
token = new KerberosToken(creds, remoteAddr);
} catch (IllegalArgumentException ex) {
if (errMsg == null) {
errMsg = new StringBuilder();
}
errMsg.append("KerberosAuthority:authenticate: Invalid token: exc=").append(ex.getMessage()).append(" : credential=").append(creds);
LOG.error("KerberosAuthority:authenticate: " + errMsg.toString());
return null;
}
StringBuilder errDetail = new StringBuilder(512);
if (token.validate(serviceSubject.get(), errDetail) == false) {
if (errMsg != null) {
errMsg.append("KerberosAuthority:authenticate: token validation failure: ");
errMsg.append(errDetail);
}
return null;
}
String userDomain = token.getDomain();
String userName = token.getUserName();
if (userName == null) {
if (errMsg != null) {
errMsg.append("KerberosAuthority:authenticate: token validation failure: missing user");
}
return null;
}
return SimplePrincipal.create(userDomain, userName, creds, this);
}
Also used :
KerberosToken(com.yahoo.athenz.auth.token.KerberosToken)
Example 2 with KerberosToken
use of com.yahoo.athenz.auth.token.KerberosToken in project athenz by yahoo.
the class KerberosAuthorityTest method testKerberosAuthorityMockPrivExcAction.
@Test(groups = "kerberos-tests")
public void testKerberosAuthorityMockPrivExcAction() throws Exception {
System.setProperty(KerberosToken.KRB_PROP_TOKEN_PRIV_ACTION, "com.yahoo.athenz.auth.impl.MockPrivExcAction");
System.setProperty(KerberosToken.KRB_PROP_TOKEN_PRIV_ACTION + "_TEST_REALM", "USER_REALM");
String token = "YIGeBgYrBgEFBQKggZMwgZCgGjAYBgorBgEEAYI3AgIeBgorBgEEAYI3AgIKonIEcE5FR09FWFRTAAfakecreds";
System.setProperty(KerberosAuthority.KRB_PROP_SVCPRPL, "myserver@EXAMPLE.COM");
System.setProperty(KerberosAuthority.KRB_PROP_LOGIN_CB_CLASS, KRB_LOGIN_CB_CLASS);
System.setProperty(KerberosAuthority.KRB_PROP_KEYTAB, "src/test/resources/example.keytab");
KerberosAuthority authority = new KerberosAuthority();
authority.initialize();
String creds = KerberosToken.KRB_AUTH_VAL_FLD + " " + token;
String remoteAddr = "localhost";
KerberosToken ktoken = new KerberosToken(creds, remoteAddr);
boolean ret = ktoken.validate(null, null);
assertEquals(ret, true);
StringBuilder errMsg = new StringBuilder();
Principal principal = authority.authenticate(ktoken.getSignedToken(), null, "GET", errMsg);
assertNotNull(principal);
assertNotNull(principal.getAuthority());
assertEquals(principal.getCredentials(), ktoken.getSignedToken());
assertEquals(principal.getDomain(), ktoken.getDomain());
assertEquals(principal.getDomain(), KerberosToken.USER_DOMAIN);
assertEquals(principal.getName(), ktoken.getUserName());
assertTrue(principal.getName().indexOf('@') == -1);
principal = authority.authenticate(ktoken.getSignedToken(), null, "GET", null);
assertNotNull(principal);
// test with ygrid realm
System.setProperty(KerberosToken.KRB_PROP_TOKEN_PRIV_ACTION + "_TEST_REALM", KerberosToken.KRB_USER_REALM);
ktoken = new KerberosToken(creds, remoteAddr);
ret = ktoken.validate(null, null);
assertEquals(ret, true);
errMsg = new StringBuilder();
principal = authority.authenticate(ktoken.getSignedToken(), null, "GET", errMsg);
assertNotNull(principal);
assertNotNull(principal.getAuthority());
assertEquals(principal.getCredentials(), ktoken.getSignedToken());
assertEquals(principal.getDomain(), ktoken.getDomain());
assertEquals(principal.getDomain(), KerberosToken.KRB_USER_DOMAIN);
assertEquals(principal.getName(), ktoken.getUserName());
assertTrue(principal.getName().indexOf('@') == -1);
principal = authority.authenticate(ktoken.getSignedToken(), null, "GET", null);
assertNotNull(principal);
// test with invalid realm
System.setProperty(KerberosToken.KRB_PROP_TOKEN_PRIV_ACTION + "_TEST_REALM", "REALM.SOMECOMPANY.COM");
ktoken = new KerberosToken(creds, remoteAddr);
ret = ktoken.validate(null, null);
assertEquals(ret, false);
errMsg = new StringBuilder();
principal = authority.authenticate(ktoken.getSignedToken(), null, "GET", errMsg);
assertNull(principal);
principal = authority.authenticate(ktoken.getSignedToken(), null, "GET", null);
assertNull(principal);
principal = authority.authenticate(null, null, "GET", null);
assertNull(principal);
System.clearProperty(KerberosToken.KRB_PROP_TOKEN_PRIV_ACTION);
System.clearProperty(KerberosAuthority.KRB_PROP_SVCPRPL);
System.clearProperty(KerberosAuthority.KRB_PROP_LOGIN_CB_CLASS);
System.clearProperty(KerberosAuthority.KRB_PROP_KEYTAB);
}
Also used :
KerberosToken(com.yahoo.athenz.auth.token.KerberosToken)
Principal(com.yahoo.athenz.auth.Principal)
KerberosPrincipal(javax.security.auth.kerberos.KerberosPrincipal)
KerberosAuthority(com.yahoo.athenz.auth.impl.KerberosAuthority)
BeforeTest(org.testng.annotations.BeforeTest)
Test(org.testng.annotations.Test)
Example 3 with KerberosToken
use of com.yahoo.athenz.auth.token.KerberosToken in project athenz by yahoo.
the class KerberosAuthorityTest method testKerberosAuthorityBadCreds.
@Test(groups = "kerberos-tests")
public void testKerberosAuthorityBadCreds() {
KerberosAuthority authority = new KerberosAuthority("myserver@athenz.com", "src/test/resources/example.keytab", null);
authority.initialize();
assertNull(authority.getDomain());
assertEquals(authority.getHeader(), KerberosAuthority.KRB_AUTH_HEADER);
KerberosToken token = null;
String creds = "invalid_creds";
String remoteAddr = "some.address";
try {
token = new KerberosToken(creds, remoteAddr);
fail("new KerberosToken with bad creds");
} catch (Exception exc) {
String msg = exc.getMessage();
assertTrue(msg.contains("creds do not contain required Negotiate component"));
}
creds = KerberosToken.KRB_AUTH_VAL_FLD + " YIGeBgYrBgEFBQKggZMwgZCgGjAYBgorBgEEAYI3AgIeBgorBgEEAYI3AgIKonIEcE5FR09FWFRTAAfakecreds";
token = new KerberosToken(creds, remoteAddr);
StringBuilder errMsg = new StringBuilder();
Principal principal = authority.authenticate(token.getSignedToken(), null, "GET", errMsg);
assertNull(principal);
}
Also used :
KerberosToken(com.yahoo.athenz.auth.token.KerberosToken)
Principal(com.yahoo.athenz.auth.Principal)
KerberosPrincipal(javax.security.auth.kerberos.KerberosPrincipal)
KerberosAuthority(com.yahoo.athenz.auth.impl.KerberosAuthority)
BeforeTest(org.testng.annotations.BeforeTest)
Test(org.testng.annotations.Test)
Aggregations
KerberosToken (com.yahoo.athenz.auth.token.KerberosToken)3
Principal (com.yahoo.athenz.auth.Principal)2
KerberosAuthority (com.yahoo.athenz.auth.impl.KerberosAuthority)2
KerberosPrincipal (javax.security.auth.kerberos.KerberosPrincipal)2
BeforeTest (org.testng.annotations.BeforeTest)2
Test (org.testng.annotations.Test)2
