jdk-24/test/jdk/sun/security/krb5/auto/ReplayCacheTestProc.java

524 lines
20 KiB
Java
Raw Normal View History

/*
* Copyright (c) 2013, 2018, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License version 2 only, as
* published by the Free Software Foundation.
*
* This code is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* version 2 for more details (a copy is included in the LICENSE file that
* accompanied this code).
*
* You should have received a copy of the GNU General Public License version
* 2 along with this work; if not, write to the Free Software Foundation,
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
*
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
* or visit www.oracle.com if you need additional information or have any
* questions.
*/
/*
* @test
* @bug 7152176 8168518 8172017 8014628 8194486
* @summary More krb5 tests
* @library ../../../../java/security/testlibrary/ /test/lib
* @build jdk.test.lib.Platform
* @run main jdk.test.lib.FileInstaller TestHosts TestHosts
* @run main/othervm/timeout=300 -Djdk.net.hosts.file=TestHosts
* ReplayCacheTestProc
*/
import java.io.*;
import java.nio.BufferUnderflowException;
import java.nio.channels.SeekableByteChannel;
import java.nio.file.Files;
import java.nio.file.Paths;
import java.nio.file.StandardCopyOption;
import java.nio.file.StandardOpenOption;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.util.*;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import jdk.test.lib.Platform;
import sun.security.jgss.GSSUtil;
import sun.security.krb5.internal.rcache.AuthTime;
/**
* This test runs multiple acceptor Procs to mimic AP-REQ replays.
* These system properties are supported:
*
* - test.libs on what types of acceptors to use
* Format: CSV of (J|N|N<suffix>=<libname>|J<suffix>=<launcher>)
* Default: J,N on Solaris and Linux where N is available, or J
* Example: J,N,N14=/krb5-1.14/lib/libgssapi_krb5.so,J8=/java8/bin/java
*
* - test.runs on manual runs. If empty, a iterate through all pattern
* Format: (req# | client# service#) acceptor# expected, ...
* Default: null
* Example: c0s0Jav,c1s1N14av,r0Jbx means 0th req is new c0->s0 sent to Ja,
* 1st req is new c1 to s1 sent to N14a,
* 2nd req is old (0th replayed) sent to Jb.
* a/b at the end of acceptor is different acceptors of the same lib
*
* - test.autoruns on number of automatic runs
* Format: number
* Default: 100
*/
public class ReplayCacheTestProc {
private static Proc[] pa; // all acceptors
private static Proc pi; // the single initiator
private static List<Req> reqs = new ArrayList<>();
private static String HOST = "localhost";
private static final String SERVICE;
private static long uid;
private static String cwd;
static {
String tmp = System.getProperty("test.service");
SERVICE = (tmp == null) ? "service" : tmp;
uid = jdk.internal.misc.VM.geteuid();
// Where should the rcache be saved. KRB5RCACHEDIR is not
// recognized on Solaris (might be supported on Solaris 12),
// and directory name is different when launched by root.
// See manpage krb5envvar(5) on KRB5RCNAME.
if (System.getProperty("os.name").startsWith("SunOS")) {
if (uid == 0) {
cwd = "/var/krb5/rcache/root/";
} else {
cwd = "/var/krb5/rcache/";
}
} else {
cwd = System.getProperty("user.dir");
}
}
private static MessageDigest md5, sha256;
static {
try {
md5 = MessageDigest.getInstance("MD5");
sha256 = MessageDigest.getInstance("SHA-256");
} catch (NoSuchAlgorithmException nsae) {
throw new AssertionError("Impossible", nsae);
}
}
public static void main0(String[] args) throws Exception {
System.setProperty("java.security.krb5.conf", OneKDC.KRB5_CONF);
if (args.length == 0) { // The controller
int nc = 5; // number of clients
int ns = 5; // number of services
String[] libs; // available acceptor types:
// J: java
// J<suffix>=<java launcher>: another java
// N: default native lib
// N<suffix>=<libname>: another native lib
Ex[] result;
int numPerType = 2; // number of acceptors per type
KDC kdc = KDC.create(OneKDC.REALM, HOST, 0, true);
for (int i=0; i<nc; i++) {
kdc.addPrincipal(client(i), OneKDC.PASS);
}
kdc.addPrincipalRandKey("krbtgt/" + OneKDC.REALM);
for (int i=0; i<ns; i++) {
kdc.addPrincipalRandKey(service(i));
}
// Native lib might not support aes-sha2
KDC.saveConfig(OneKDC.KRB5_CONF, kdc,
"default_tkt_enctypes = aes128-cts",
"default_tgs_enctypes = aes128-cts");
// Write KTAB after krb5.conf so it contains no aes-sha2 keys
kdc.writeKtab(OneKDC.KTAB);
// User-provided libs
String userLibs = System.getProperty("test.libs");
if (userLibs != null) {
libs = userLibs.split(",");
} else {
if (Platform.isOSX() || Platform.isWindows()) {
// macOS uses Heimdal and Windows has no native lib
libs = new String[]{"J"};
} else {
if (acceptor("N", "sanity").waitFor() != 0) {
Proc.d("Native mode sanity check failed, only java");
libs = new String[]{"J"};
} else {
libs = new String[]{"J", "N"};
}
}
}
pi = Proc.create("ReplayCacheTestProc").debug("C")
.inheritProp("jdk.net.hosts.file")
.args("initiator")
.start();
int na = libs.length * numPerType; // total number of acceptors
pa = new Proc[na];
// Acceptors, numPerType for 1st, numForType for 2nd, ...
for (int i=0; i<na; i++) {
pa[i] = acceptor(libs[i/numPerType],
"" + (char)('a' + i%numPerType));
}
// Manual runs
String userRuns = System.getProperty("test.runs");
if (userRuns == null) {
result = new Ex[Integer.parseInt(
System.getProperty("test.autoruns", "100"))];
Random r = new Random();
for (int i = 0; i < result.length; i++) {
boolean expected = reqs.isEmpty() || r.nextBoolean();
result[i] = new Ex(
i,
expected ?
req(r.nextInt(nc), r.nextInt(ns)) :
r.nextInt(reqs.size()),
pa[r.nextInt(na)],
expected);
}
} else if (userRuns.isEmpty()) {
int count = 0;
result = new Ex[libs.length * libs.length];
for (int i = 0; i < libs.length; i++) {
result[count] = new Ex(
count,
req(0, 0),
pa[i * numPerType],
true);
count++;
for (int j = 0; j < libs.length; j++) {
if (i == j) {
continue;
}
result[count] = new Ex(
count,
i,
pa[j * numPerType],
false);
count++;
}
}
} else {
String[] runs = userRuns.split(",");
result = new Ex[runs.length];
for (int i = 0; i < runs.length; i++) {
UserRun run = new UserRun(runs[i]);
result[i] = new Ex(
i,
run.req() == -1 ?
req(run.client(), run.service()) :
result[run.req()].req,
Arrays.stream(pa)
.filter(p -> p.debug().equals(run.acceptor()))
.findFirst()
.orElseThrow(() -> new Exception(
"no acceptor named " + run.acceptor())),
run.success());
}
}
for (Ex x : result) {
x.run();
}
pi.println("END");
for (int i=0; i<na; i++) {
pa[i].println("END");
}
System.out.println("\nAll Test Results\n================");
boolean finalOut = true;
System.out.println(" req** client service acceptor Result");
System.out.println("---- ------- ------ --------- -------- -------");
for (int i=0; i<result.length; i++) {
boolean out = result[i].expected==result[i].actual;
finalOut &= out;
System.out.printf("%3d: %3d%s c%d s%d %4s %8s %s %s\n",
i,
result[i].req,
result[i].expected ? "**" : " ",
reqs.get(result[i].req).client,
reqs.get(result[i].req).service,
"(" + result[i].csize + ")",
result[i].acceptor.debug(),
result[i].actual ? "++" : "--",
out ? " " : "xxx");
}
System.out.println("\nPath of Reqs\n============");
for (int j=0; ; j++) {
boolean found = false;
for (int i=0; i<result.length; i++) {
if (result[i].req == j) {
if (!found) {
System.out.printf("%3d (c%s -> s%s): ", j,
reqs.get(j).client, reqs.get(j).service);
}
System.out.printf("%s%s(%d)%s",
found ? " -> " : "",
result[i].acceptor.debug(),
i,
result[i].actual != result[i].expected ?
"xxx" : "");
found = true;
}
}
System.out.println();
if (!found) {
break;
}
}
if (!finalOut) throw new Exception();
} else if (args[0].equals("Nsanity")) {
// Native mode sanity check
Proc.d("Detect start");
Context s = Context.fromUserKtab("*", OneKDC.KTAB, true);
s.startAsServer(GSSUtil.GSS_KRB5_MECH_OID);
} else if (args[0].equals("initiator")) {
while (true) {
String title = Proc.textIn();
Proc.d("Client see " + title);
if (title.equals("END")) break;
String[] cas = title.split(" ");
Context c = Context.fromUserPass(cas[0], OneKDC.PASS, false);
c.startAsClient(cas[1], GSSUtil.GSS_KRB5_MECH_OID);
c.x().requestCredDeleg(true);
byte[] token = c.take(new byte[0]);
Proc.d("Client AP-REQ generated");
Proc.binOut(token);
}
} else {
Proc.d(System.getProperty("java.vm.version"));
Proc.d(System.getProperty("sun.security.jgss.native"));
Proc.d(System.getProperty("sun.security.jgss.lib"));
Proc.d("---------------------------------\n");
Proc.d("Server start");
Context s = Context.fromUserKtab("*", OneKDC.KTAB, true);
Proc.d("Server login");
while (true) {
String title = Proc.textIn();
Proc.d("Server sees " + title);
if (title.equals("END")) break;
s.startAsServer(GSSUtil.GSS_KRB5_MECH_OID);
byte[] token = Proc.binIn();
try {
s.take(token);
Proc.textOut("true");
Proc.d("Good");
} catch (Exception e) {
Proc.textOut("false");
Proc.d("Bad");
}
}
}
}
public static void main(String[] args) throws Exception {
try {
main0(args);
} catch (Exception e) {
Proc.d(e);
throw e;
}
}
// returns the client name
private static String client(int p) {
return "client" + p;
}
// returns the service name
private static String service(int p) {
return SERVICE + p + "/" + HOST;
}
// returns the dfl name for a service
private static String dfl(int p) {
return SERVICE + p + (uid == -1 ? "" : ("_"+uid));
}
// generates an ap-req and save into reqs, returns the index
private static int req(int client, int service) throws Exception {
pi.println(client(client) + " " + service(service));
Req req = new Req(client, service, pi.readData());
reqs.add(req);
return reqs.size() - 1;
}
// create a acceptor
private static Proc acceptor(String type, String suffix) throws Exception {
Proc p;
String label;
String lib;
int pos = type.indexOf('=');
if (pos < 0) {
label = type;
lib = null;
} else {
label = type.substring(0, pos);
lib = type.substring(pos + 1);
}
if (type.startsWith("J")) {
if (lib == null) {
p = Proc.create("ReplayCacheTestProc")
.inheritProp("jdk.net.hosts.file");
} else {
p = Proc.create("ReplayCacheTestProc", lib)
.inheritProp("jdk.net.hosts.file");
}
p.prop("sun.security.krb5.rcache", "dfl")
.prop("java.io.tmpdir", cwd);
String useMD5 = System.getProperty("jdk.krb5.rcache.useMD5");
if (useMD5 != null) {
p.prop("jdk.krb5.rcache.useMD5", useMD5);
}
} else {
p = Proc.create("ReplayCacheTestProc")
.env("KRB5_CONFIG", OneKDC.KRB5_CONF)
.env("KRB5_KTNAME", OneKDC.KTAB)
.env("KRB5RCACHEDIR", cwd)
.inheritProp("jdk.net.hosts.file")
.prop("sun.security.jgss.native", "true")
.prop("javax.security.auth.useSubjectCredsOnly", "false")
.prop("sun.security.nativegss.debug", "true");
if (lib != null) {
String libDir = lib.substring(0, lib.lastIndexOf('/'));
p.prop("sun.security.jgss.lib", lib)
.env("DYLD_LIBRARY_PATH", libDir)
.env("LD_LIBRARY_PATH", libDir);
}
}
Proc.d(label+suffix+" started");
return p.args(label+suffix).debug(label+suffix).start();
}
// generates hash of authenticator inside ap-req inside initsectoken
private static void record(String label, Req req) throws Exception {
byte[] data = Base64.getDecoder().decode(req.msg);
data = Arrays.copyOfRange(data, 17, data.length);
try (PrintStream ps = new PrintStream(
new FileOutputStream("log.txt", true))) {
ps.printf("%s:\nmsg: %s\nMD5: %s\nSHA-256: %s\n\n",
label,
req.msg,
hex(md5.digest(data)),
hex(sha256.digest(data)));
}
}
// Returns a compact hexdump for a byte array
private static String hex(byte[] hash) {
char[] h = new char[hash.length * 2];
char[] hexConst = "0123456789ABCDEF".toCharArray();
for (int i=0; i<hash.length; i++) {
h[2*i] = hexConst[(hash[i]&0xff)>>4];
h[2*i+1] = hexConst[hash[i]&0xf];
}
return new String(h);
}
// return size of dfl file, excluding the null hash ones
private static int csize(int p) throws Exception {
try (SeekableByteChannel chan = Files.newByteChannel(
Paths.get(cwd, dfl(p)), StandardOpenOption.READ)) {
chan.position(6);
int cc = 0;
while (true) {
try {
if (AuthTime.readFrom(chan) != null) cc++;
} catch (BufferUnderflowException e) {
break;
}
}
return cc;
} catch (IOException ioe) {
return 0;
}
}
// models an experiement
private static class Ex {
int i; // #
int req; // which ap-req to send
Proc acceptor; // which acceptor to send to
boolean expected; // expected result
boolean actual; // actual output
int csize; // size of rcache after test
String hash; // the hash of req
Ex(int i, int req, Proc acceptor, boolean expected) {
this.i = i;
this.req = req;
this.acceptor = acceptor;
this.expected = expected;
}
void run() throws Exception {
Req r = reqs.get(req);
acceptor.println("TEST");
acceptor.println(r.msg);
String reply = acceptor.readData();
actual = Boolean.valueOf(reply);
csize = csize(r.service);
String label = String.format("%03d-client%d-%s%d-%s-%s",
i, r.client, SERVICE, r.service, acceptor.debug(), actual);
record(label, r);
if (new File(cwd, dfl(r.service)).exists()) {
Files.copy(Paths.get(cwd, dfl(r.service)), Paths.get(label),
StandardCopyOption.COPY_ATTRIBUTES);
}
}
}
// models a saved ap-req msg
private static class Req {
String msg; // based64-ed req
int client; // which client
int service; // which service
Req(int client, int service, String msg) {
this.msg = msg;
this.client= client;
this.service = service;
}
}
private static class UserRun {
static final Pattern p
= Pattern.compile("(c(\\d)+s(\\d+)|r(\\d+))(.*)(.)");
final Matcher m;
UserRun(String run) { m = p.matcher(run); m.find(); }
int req() { return group(4); }
int client() { return group(2); }
int service() { return group(3); }
String acceptor() { return m.group(5); }
boolean success() { return m.group(6).equals("v"); }
int group(int i) {
String g = m.group(i);
return g == null ? -1 : Integer.parseInt(g);
}
}
}