/**
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
* regarding copyright ownership. The ASF licenses this file
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing,
* software distributed under the License is distributed on an
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
* KIND, either express or implied. See the License for the
* specific language governing permissions and limitations
* under the License.
*/
package org.apache.cxf.fediz.integrationtests;
import java.io.File;
import java.io.FileInputStream;
import java.io.FileOutputStream;
import java.io.IOException;
import java.security.PrivilegedExceptionAction;
import javax.security.auth.Subject;
import javax.security.auth.login.LoginContext;
import javax.servlet.ServletException;
import com.gargoylesoftware.htmlunit.WebClient;
import com.gargoylesoftware.htmlunit.html.HtmlForm;
import com.gargoylesoftware.htmlunit.html.HtmlPage;
import com.gargoylesoftware.htmlunit.html.HtmlSubmitInput;
import org.apache.catalina.Context;
import org.apache.catalina.LifecycleException;
import org.apache.catalina.LifecycleState;
import org.apache.catalina.connector.Connector;
import org.apache.catalina.startup.Tomcat;
import org.apache.commons.io.IOUtils;
import org.apache.cxf.fediz.core.ClaimTypes;
import org.apache.cxf.fediz.tomcat7.FederationAuthenticator;
import org.apache.directory.server.annotations.CreateKdcServer;
import org.apache.directory.server.annotations.CreateTransport;
import org.apache.directory.server.core.annotations.ApplyLdifFiles;
import org.apache.directory.server.core.annotations.CreateDS;
import org.apache.directory.server.core.annotations.CreateIndex;
import org.apache.directory.server.core.annotations.CreatePartition;
import org.apache.directory.server.core.integ.AbstractLdapTestUnit;
import org.apache.directory.server.core.integ.FrameworkRunner;
import org.apache.directory.server.core.kerberos.KeyDerivationInterceptor;
import org.apache.wss4j.dom.engine.WSSConfig;
import org.apache.xml.security.utils.Base64;
import org.ietf.jgss.GSSContext;
import org.ietf.jgss.GSSException;
import org.ietf.jgss.GSSManager;
import org.ietf.jgss.GSSName;
import org.ietf.jgss.Oid;
import org.junit.AfterClass;
import org.junit.Assert;
import org.junit.Before;
import org.junit.BeforeClass;
import org.junit.runner.RunWith;
/**
* A test that sends a Kerberos ticket to the IdP for authentication. The IdP must be configured
* to validate the Kerberos ticket, and in turn get a delegation token to authenticate to the
* STS + retrieve claims etc.
*
* This test uses an Apache DS instance as the KDC
*/
@RunWith(FrameworkRunner.class)
//Define the DirectoryService
@CreateDS(name = "KerberosTest-class",
enableAccessControl = false,
allowAnonAccess = false,
enableChangeLog = true,
partitions = {
@CreatePartition(
name = "example",
suffix = "dc=example,dc=com",
indexes = {
@CreateIndex(attribute = "objectClass"),
@CreateIndex(attribute = "dc"),
@CreateIndex(attribute = "ou")
}
) },
additionalInterceptors = {
KeyDerivationInterceptor.class
}
)
@CreateKdcServer(
transports = {
@CreateTransport(protocol = "KRB", address = "127.0.0.1")
},
primaryRealm = "service.ws.apache.org",
kdcPrincipal = "krbtgt/service.ws.apache.org@service.ws.apache.org"
)
//Inject an file containing entries
@ApplyLdifFiles("kerberos.ldif")
public class KerberosTest extends AbstractLdapTestUnit {
static String idpHttpsPort;
static String rpHttpsPort;
private static Tomcat idpServer;
private static Tomcat rpServer;
private static boolean portUpdated;
@BeforeClass
public static void init() throws Exception {
System.setProperty("org.apache.commons.logging.Log", "org.apache.commons.logging.impl.SimpleLog");
System.setProperty("org.apache.commons.logging.simplelog.showdatetime", "true");
System.setProperty("org.apache.commons.logging.simplelog.log.httpclient.wire", "info");
System.setProperty("org.apache.commons.logging.simplelog.log.org.apache.commons.httpclient", "info");
System.setProperty("org.apache.commons.logging.simplelog.log.org.springframework.webflow", "info");
System.setProperty("org.apache.commons.logging.simplelog.log.org.springframework.security.web", "info");
System.setProperty("org.apache.commons.logging.simplelog.log.org.apache.cxf.fediz", "info");
System.setProperty("org.apache.commons.logging.simplelog.log.org.apache.cxf", "info");
idpHttpsPort = System.getProperty("idp.https.port");
Assert.assertNotNull("Property 'idp.https.port' null", idpHttpsPort);
rpHttpsPort = System.getProperty("rp.https.port");
Assert.assertNotNull("Property 'rp.https.port' null", rpHttpsPort);
WSSConfig.init();
idpServer = startServer(true, idpHttpsPort);
rpServer = startServer(false, rpHttpsPort);
}
@Before
public void updatePort() throws Exception {
if (!portUpdated) {
String basedir = System.getProperty("basedir");
if (basedir == null) {
basedir = new File(".").getCanonicalPath();
}
// Read in krb5.conf and substitute in the correct port
File f = new File(basedir + "/src/test/resources/krb5.conf");
FileInputStream inputStream = new FileInputStream(f);
String content = IOUtils.toString(inputStream, "UTF-8");
inputStream.close();
content = content.replaceAll("port", "" + super.getKdcServer().getTransports()[0].getPort());
File f2 = new File(basedir + "/target/test-classes/fediz.kerberos.krb5.conf");
try (FileOutputStream outputStream = new FileOutputStream(f2)) {
IOUtils.write(content, outputStream, "UTF-8");
}
System.setProperty("java.security.krb5.conf", f2.getPath());
portUpdated = true;
}
System.setProperty("java.security.auth.login.config", "src/test/resources/kerberos.jaas");
}
private static Tomcat startServer(boolean idp, String port)
throws ServletException, LifecycleException, IOException {
Tomcat server = new Tomcat();
server.setPort(0);
String currentDir = new File(".").getCanonicalPath();
String baseDir = currentDir + File.separator + "target";
server.setBaseDir(baseDir);
if (idp) {
server.getHost().setAppBase("tomcat/idp/webapps");
} else {
server.getHost().setAppBase("tomcat/rp/webapps");
}
server.getHost().setAutoDeploy(true);
server.getHost().setDeployOnStartup(true);
Connector httpsConnector = new Connector();
httpsConnector.setPort(Integer.parseInt(port));
httpsConnector.setSecure(true);
httpsConnector.setScheme("https");
//httpsConnector.setAttribute("keyAlias", keyAlias);
httpsConnector.setAttribute("keystorePass", "tompass");
httpsConnector.setAttribute("keystoreFile", "test-classes/server.jks");
httpsConnector.setAttribute("truststorePass", "tompass");
httpsConnector.setAttribute("truststoreFile", "test-classes/server.jks");
httpsConnector.setAttribute("clientAuth", "want");
// httpsConnector.setAttribute("clientAuth", "false");
httpsConnector.setAttribute("sslProtocol", "TLS");
httpsConnector.setAttribute("SSLEnabled", true);
server.getService().addConnector(httpsConnector);
if (idp) {
File stsWebapp = new File(baseDir + File.separator + server.getHost().getAppBase(), "fediz-idp-sts");
server.addWebapp("/fediz-idp-sts", stsWebapp.getAbsolutePath());
File idpWebapp = new File(baseDir + File.separator + server.getHost().getAppBase(), "fediz-idp");
server.addWebapp("/fediz-idp", idpWebapp.getAbsolutePath());
} else {
File rpWebapp = new File(baseDir + File.separator + server.getHost().getAppBase(), "simpleWebapp");
Context cxt = server.addWebapp("/fedizhelloworld", rpWebapp.getAbsolutePath());
FederationAuthenticator fa = new FederationAuthenticator();
fa.setConfigFile(currentDir + File.separator + "target" + File.separator
+ "test-classes" + File.separator + "fediz_config.xml");
cxt.getPipeline().addValve(fa);
}
server.start();
return server;
}
@AfterClass
public static void cleanup() {
shutdownServer(idpServer);
shutdownServer(rpServer);
}
private static void shutdownServer(Tomcat server) {
try {
if (server != null && server.getServer() != null
&& server.getServer().getState() != LifecycleState.DESTROYED) {
if (server.getServer().getState() != LifecycleState.STOPPED) {
server.stop();
}
server.destroy();
}
} catch (Exception e) {
e.printStackTrace();
}
}
public String getIdpHttpsPort() {
return idpHttpsPort;
}
public String getRpHttpsPort() {
return rpHttpsPort;
}
public String getServletContextName() {
return "fedizhelloworld";
}
@org.junit.Test
public void testKerberos() throws Exception {
String url = "https://localhost:" + getRpHttpsPort() + "/fedizhelloworld/secure/fedservlet";
// Get a Kerberos Ticket + Base64 encode it
String ticket = getEncodedKerberosTicket(false);
final WebClient webClient = new WebClient();
webClient.getOptions().setUseInsecureSSL(true);
webClient.getOptions().setJavaScriptEnabled(false);
webClient.addRequestHeader("Authorization", "Negotiate " + ticket);
final HtmlPage idpPage = webClient.getPage(url);
webClient.getOptions().setJavaScriptEnabled(true);
Assert.assertEquals("IDP SignIn Response Form", idpPage.getTitleText());
final HtmlForm form = idpPage.getFormByName("signinresponseform");
final HtmlSubmitInput button = form.getInputByName("_eventId_submit");
final HtmlPage rpPage = button.click();
Assert.assertEquals("WS Federation Systests Examples", rpPage.getTitleText());
final String bodyTextContent = rpPage.getBody().getTextContent();
String user = "alice";
Assert.assertTrue("Principal not " + user,
bodyTextContent.contains("userPrincipal=" + user));
Assert.assertTrue("User " + user + " does not have role Admin",
bodyTextContent.contains("role:Admin=false"));
Assert.assertTrue("User " + user + " does not have role Manager",
bodyTextContent.contains("role:Manager=false"));
Assert.assertTrue("User " + user + " must have role User",
bodyTextContent.contains("role:User=true"));
String claim = ClaimTypes.FIRSTNAME.toString();
Assert.assertTrue("User " + user + " claim " + claim + " is not 'Alice'",
bodyTextContent.contains(claim + "=Alice"));
claim = ClaimTypes.LASTNAME.toString();
Assert.assertTrue("User " + user + " claim " + claim + " is not 'Smith'",
bodyTextContent.contains(claim + "=Smith"));
claim = ClaimTypes.EMAILADDRESS.toString();
Assert.assertTrue("User " + user + " claim " + claim + " is not 'alice@realma.org'",
bodyTextContent.contains(claim + "=alice@realma.org"));
webClient.close();
}
// To get this test to work, uncomment the "spnego" configuration in the STS's kerberos.xml
@org.junit.Test
@org.junit.Ignore
public void testSpnego() throws Exception {
String url = "https://localhost:" + getRpHttpsPort() + "/fedizhelloworld/secure/fedservlet";
// Get a Kerberos Ticket + Base64 encode it
String ticket = getEncodedKerberosTicket(true);
final WebClient webClient = new WebClient();
webClient.getOptions().setUseInsecureSSL(true);
webClient.getOptions().setJavaScriptEnabled(false);
webClient.addRequestHeader("Authorization", "Negotiate " + ticket);
final HtmlPage idpPage = webClient.getPage(url);
webClient.getOptions().setJavaScriptEnabled(true);
Assert.assertEquals("IDP SignIn Response Form", idpPage.getTitleText());
final HtmlForm form = idpPage.getFormByName("signinresponseform");
final HtmlSubmitInput button = form.getInputByName("_eventId_submit");
final HtmlPage rpPage = button.click();
Assert.assertEquals("WS Federation Systests Examples", rpPage.getTitleText());
final String bodyTextContent = rpPage.getBody().getTextContent();
String user = "alice";
Assert.assertTrue("Principal not " + user,
bodyTextContent.contains("userPrincipal=" + user));
Assert.assertTrue("User " + user + " does not have role Admin",
bodyTextContent.contains("role:Admin=false"));
Assert.assertTrue("User " + user + " does not have role Manager",
bodyTextContent.contains("role:Manager=false"));
Assert.assertTrue("User " + user + " must have role User",
bodyTextContent.contains("role:User=true"));
String claim = ClaimTypes.FIRSTNAME.toString();
Assert.assertTrue("User " + user + " claim " + claim + " is not 'Alice'",
bodyTextContent.contains(claim + "=Alice"));
claim = ClaimTypes.LASTNAME.toString();
Assert.assertTrue("User " + user + " claim " + claim + " is not 'Smith'",
bodyTextContent.contains(claim + "=Smith"));
claim = ClaimTypes.EMAILADDRESS.toString();
Assert.assertTrue("User " + user + " claim " + claim + " is not 'alice@realma.org'",
bodyTextContent.contains(claim + "=alice@realma.org"));
webClient.close();
}
private String getEncodedKerberosTicket(boolean spnego) throws Exception {
Oid kerberos5Oid = null;
if (spnego) {
kerberos5Oid = new Oid("1.3.6.1.5.5.2");
} else {
kerberos5Oid = new Oid("1.2.840.113554.1.2.2");
}
GSSManager manager = GSSManager.getInstance();
GSSName serverName = manager.createName("bob@service.ws.apache.org",
GSSName.NT_HOSTBASED_SERVICE);
GSSContext context = manager
.createContext(serverName.canonicalize(kerberos5Oid), kerberos5Oid,
null, GSSContext.DEFAULT_LIFETIME);
context.requestCredDeleg(true);
final byte[] token = new byte[0];
String contextName = "alice";
LoginContext lc = new LoginContext(contextName, new KerberosClientPasswordCallback());
lc.login();
byte[] ticket = (byte[])Subject.doAs(lc.getSubject(), new CreateServiceTicketAction(context, token));
return Base64.encode(ticket);
}
private final class CreateServiceTicketAction implements PrivilegedExceptionAction<byte[]> {
private final GSSContext context;
private final byte[] token;
private CreateServiceTicketAction(GSSContext context, byte[] token) {
this.context = context;
this.token = token;
}
public byte[] run() throws GSSException {
return context.initSecContext(token, 0, token.length);
}
}
}