modules/rampart-integration/src/test/java/org/apache/rampart/util/KerberosServer.java - axis-axis2-java-rampart - Git at Google

 /**
  * Licensed to the Apache Software Foundation (ASF) under one
  * or more contributor license agreements. See the NOTICE file
  * distributed with this work for additional information
  * regarding copyright ownership. The ASF licenses this file
  * to you under the Apache License, Version 2.0 (the
  * "License"); you may not use this file except in compliance
  * with the License. You may obtain a copy of the License at
  *
  * http://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing,
  * software distributed under the License is distributed on an
  * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
  * KIND, either express or implied. See the License for the
  * specific language governing permissions and limitations
  * under the License.
  */
 package org.apache.rampart.util;

 import java.io.File;
 import java.io.IOException;
 import java.io.InputStream;
 import java.net.DatagramSocket;
 import java.nio.file.Files;
 import java.security.Provider;
 import java.security.Security;
 import java.util.List;

 import org.apache.axis2.testutils.PortAllocator;
 import org.apache.commons.io.FileUtils;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 import org.apache.directory.api.ldap.model.entry.DefaultEntry;
 import org.apache.directory.api.ldap.model.ldif.LdifEntry;
 import org.apache.directory.api.ldap.model.ldif.LdifReader;
 import org.apache.directory.server.core.api.DirectoryService;
 import org.apache.directory.server.core.api.interceptor.Interceptor;
 import org.apache.directory.server.core.api.partition.Partition;
 import org.apache.directory.server.core.factory.DefaultDirectoryServiceFactory;
 import org.apache.directory.server.core.factory.DirectoryServiceFactory;
 import org.apache.directory.server.core.factory.PartitionFactory;
 import org.apache.directory.server.core.kerberos.KeyDerivationInterceptor;
 import org.apache.directory.server.kerberos.KerberosConfig;
 import org.apache.directory.server.kerberos.kdc.KdcServer;
 import org.apache.directory.server.protocol.shared.transport.Transport;
 import org.apache.directory.server.protocol.shared.transport.UdpTransport;
 import org.apache.directory.shared.kerberos.codec.types.EncryptionType;
 import org.junit.rules.ExternalResource;

 /**
  * Runs an Apache DS Kerberos server.
  */
 public final class KerberosServer extends ExternalResource {

     private static final Log log = LogFactory.getLog(KerberosServer.class);

     /**
      * The used DirectoryService instance
      */
     private DirectoryService directoryService;

     /**
      * The used KdcServer instance
      */
     private KdcServer kdcServer;

     private Provider provider;
     private int providerPos = 2;

     private File workDir;

     @Override
     protected void before() throws Throwable {
         int kdcPort = PortAllocator.allocatePort();

         DatagramSocket datagramSocket = new DatagramSocket(kdcPort);
         datagramSocket.setReuseAddress(true);
         datagramSocket.close();

         //Ok, apache ds doesn't like the bouncy castle provider at position 2
         //Caused by: KrbException: Integrity check on decrypted field failed (31) - Integrity check on decrypted field failed
         Provider[] installedProviders = Security.getProviders();
         for (int i = 0; i < installedProviders.length; i++) {
             Provider installedProvider = installedProviders[i];
             if ("BC".equals(installedProvider.getName())) {
                 provider = installedProvider;
                 providerPos = i;
                 Security.removeProvider("BC");
                 break;
             }
         }
         if (provider != null) {
             Security.addProvider(provider);
         }

         workDir = Files.createTempDirectory("server-work").toFile();

         DirectoryServiceFactory directoryServiceFactory = new DefaultDirectoryServiceFactory();
         directoryService = directoryServiceFactory.getDirectoryService();
         directoryService.setAccessControlEnabled(false);
         directoryService.setAllowAnonymousAccess(false);
         directoryService.getChangeLog().setEnabled(true);

         List<Interceptor> interceptors = directoryService.getInterceptors();
         interceptors.add(new KeyDerivationInterceptor());
         directoryService.setInterceptors(interceptors);
         directoryServiceFactory.init("defaultDS");

         PartitionFactory partitionFactory = directoryServiceFactory.getPartitionFactory();
         Partition partition = partitionFactory.createPartition(directoryService.getSchemaManager(),
             directoryService.getDnFactory(), "example", "dc=example,dc=com", 1000, workDir);

         partitionFactory.addIndex(partition, "objectClass", 1000);
         partitionFactory.addIndex(partition, "dc", 1000);
         partitionFactory.addIndex(partition, "ou", 1000);

         partition.setSchemaManager(directoryService.getSchemaManager());
         // Inject the partition into the DirectoryService
         directoryService.addPartition(partition);

         InputStream is = KerberosServer.class.getClassLoader().getResourceAsStream("kerberos/users.ldif");
         LdifReader ldifReader = new LdifReader(is);
         for (LdifEntry entry : ldifReader) {
             directoryService.getAdminSession().add(new DefaultEntry(directoryService.getSchemaManager(), entry.getEntry()));
         }
         ldifReader.close();

         KerberosConfig kerberosConfig = new KerberosConfig();
         kerberosConfig.setServicePrincipal("krbtgt/EXAMPLE.COM@EXAMPLE.COM");
         kerberosConfig.setPrimaryRealm("EXAMPLE.COM");
         kerberosConfig.setSearchBaseDn("dc=example,dc=com");
         kerberosConfig.setMaximumTicketLifetime(60000 * 1440);
         kerberosConfig.setMaximumRenewableLifetime(60000 * 10080);
         kerberosConfig.setEncryptionTypes(new EncryptionType[]{EncryptionType.AES128_CTS_HMAC_SHA1_96});

         kdcServer = new KdcServer(kerberosConfig);
         kdcServer.setServiceName("DefaultKrbServer");

         final String kdcHostname = "localhost";
         log.info(String.format("Starting service on %s:%s", kdcHostname, kdcPort));

         UdpTransport udp = new UdpTransport(kdcHostname, kdcPort);
         kdcServer.addTransports(udp);
         kdcServer.setDirectoryService(directoryService);
         kdcServer.start();
     }

     /**
      * @return The Apache DS Kerberos server port.
      * @throws IllegalArgumentException If server or respective transport are not initialized
      */
     public int getPort() throws IllegalArgumentException {
         if (kdcServer == null) {
             throw new IllegalStateException("Kerberos server is not initialized");
         }

         Transport[] transports =  kdcServer.getTransports();
         if (transports == null || transports.length == 0) {
             throw new IllegalStateException("Kerberos server does not configure any transports");
         }

         for (Transport transport : transports) {
             if (transport instanceof UdpTransport) {
                 return transport.getPort();
             }
         }

         throw new IllegalStateException(
                 String.format("Cannot identify Kerberos server port. List of transports does not contain an %s instance",
                         UdpTransport.class.getName()));
     }

     @Override
     protected void after() {
         log.info("Stop called");
         try {
             if (directoryService != null) {
                 try {
                     directoryService.shutdown();
                 } catch (Exception ex) {
                     log.error("Failed to stop server", ex);
                 } finally {
                     try {
                         FileUtils.deleteDirectory(workDir);
                     }
                     catch (IOException e) {
                         log.error("Failed to delete Apache DS working directory: " + workDir.getAbsolutePath() , e);
                     }
                 }
                 directoryService = null;
             }
         }
         finally {
             if (kdcServer != null) {
                 kdcServer.stop();
                 kdcServer = null;
             }

             if (provider != null) {
                 //restore BC position
                 Security.removeProvider("BC");
                 Security.insertProviderAt(provider, providerPos);
             }
         }
     }
 }
	/**
	* Licensed to the Apache Software Foundation (ASF) under one
	* or more contributor license agreements. See the NOTICE file
	* distributed with this work for additional information
	* regarding copyright ownership. The ASF licenses this file
	* to you under the Apache License, Version 2.0 (the
	* "License"); you may not use this file except in compliance
	* with the License. You may obtain a copy of the License at
	*
	* http://www.apache.org/licenses/LICENSE-2.0
	*
	* Unless required by applicable law or agreed to in writing,
	* software distributed under the License is distributed on an
	* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
	* KIND, either express or implied. See the License for the
	* specific language governing permissions and limitations
	* under the License.
	*/
	package org.apache.rampart.util;

	import java.io.File;
	import java.io.IOException;
	import java.io.InputStream;
	import java.net.DatagramSocket;
	import java.nio.file.Files;
	import java.security.Provider;
	import java.security.Security;
	import java.util.List;

	import org.apache.axis2.testutils.PortAllocator;
	import org.apache.commons.io.FileUtils;
	import org.apache.commons.logging.Log;
	import org.apache.commons.logging.LogFactory;
	import org.apache.directory.api.ldap.model.entry.DefaultEntry;
	import org.apache.directory.api.ldap.model.ldif.LdifEntry;
	import org.apache.directory.api.ldap.model.ldif.LdifReader;
	import org.apache.directory.server.core.api.DirectoryService;
	import org.apache.directory.server.core.api.interceptor.Interceptor;
	import org.apache.directory.server.core.api.partition.Partition;
	import org.apache.directory.server.core.factory.DefaultDirectoryServiceFactory;
	import org.apache.directory.server.core.factory.DirectoryServiceFactory;
	import org.apache.directory.server.core.factory.PartitionFactory;
	import org.apache.directory.server.core.kerberos.KeyDerivationInterceptor;
	import org.apache.directory.server.kerberos.KerberosConfig;
	import org.apache.directory.server.kerberos.kdc.KdcServer;
	import org.apache.directory.server.protocol.shared.transport.Transport;
	import org.apache.directory.server.protocol.shared.transport.UdpTransport;
	import org.apache.directory.shared.kerberos.codec.types.EncryptionType;
	import org.junit.rules.ExternalResource;

	/**
	* Runs an Apache DS Kerberos server.
	*/
	public final class KerberosServer extends ExternalResource {

	private static final Log log = LogFactory.getLog(KerberosServer.class);

	/**
	* The used DirectoryService instance
	*/
	private DirectoryService directoryService;

	/**
	* The used KdcServer instance
	*/
	private KdcServer kdcServer;

	private Provider provider;
	private int providerPos = 2;

	private File workDir;

	@Override
	protected void before() throws Throwable {
	int kdcPort = PortAllocator.allocatePort();

	DatagramSocket datagramSocket = new DatagramSocket(kdcPort);
	datagramSocket.setReuseAddress(true);
	datagramSocket.close();

	//Ok, apache ds doesn't like the bouncy castle provider at position 2
	//Caused by: KrbException: Integrity check on decrypted field failed (31) - Integrity check on decrypted field failed
	Provider[] installedProviders = Security.getProviders();
	for (int i = 0; i < installedProviders.length; i++) {
	Provider installedProvider = installedProviders[i];
	if ("BC".equals(installedProvider.getName())) {
	provider = installedProvider;
	providerPos = i;
	Security.removeProvider("BC");
	break;
	}
	}
	if (provider != null) {
	Security.addProvider(provider);
	}

	workDir = Files.createTempDirectory("server-work").toFile();

	DirectoryServiceFactory directoryServiceFactory = new DefaultDirectoryServiceFactory();
	directoryService = directoryServiceFactory.getDirectoryService();
	directoryService.setAccessControlEnabled(false);
	directoryService.setAllowAnonymousAccess(false);
	directoryService.getChangeLog().setEnabled(true);

	List<Interceptor> interceptors = directoryService.getInterceptors();
	interceptors.add(new KeyDerivationInterceptor());
	directoryService.setInterceptors(interceptors);
	directoryServiceFactory.init("defaultDS");

	PartitionFactory partitionFactory = directoryServiceFactory.getPartitionFactory();
	Partition partition = partitionFactory.createPartition(directoryService.getSchemaManager(),
	directoryService.getDnFactory(), "example", "dc=example,dc=com", 1000, workDir);

	partitionFactory.addIndex(partition, "objectClass", 1000);
	partitionFactory.addIndex(partition, "dc", 1000);
	partitionFactory.addIndex(partition, "ou", 1000);

	partition.setSchemaManager(directoryService.getSchemaManager());
	// Inject the partition into the DirectoryService
	directoryService.addPartition(partition);

	InputStream is = KerberosServer.class.getClassLoader().getResourceAsStream("kerberos/users.ldif");
	LdifReader ldifReader = new LdifReader(is);
	for (LdifEntry entry : ldifReader) {
	directoryService.getAdminSession().add(new DefaultEntry(directoryService.getSchemaManager(), entry.getEntry()));
	}
	ldifReader.close();

	KerberosConfig kerberosConfig = new KerberosConfig();
	kerberosConfig.setServicePrincipal("krbtgt/EXAMPLE.COM@EXAMPLE.COM");
	kerberosConfig.setPrimaryRealm("EXAMPLE.COM");
	kerberosConfig.setSearchBaseDn("dc=example,dc=com");
	kerberosConfig.setMaximumTicketLifetime(60000 * 1440);
	kerberosConfig.setMaximumRenewableLifetime(60000 * 10080);
	kerberosConfig.setEncryptionTypes(new EncryptionType[]{EncryptionType.AES128_CTS_HMAC_SHA1_96});

	kdcServer = new KdcServer(kerberosConfig);
	kdcServer.setServiceName("DefaultKrbServer");

	final String kdcHostname = "localhost";
	log.info(String.format("Starting service on %s:%s", kdcHostname, kdcPort));

	UdpTransport udp = new UdpTransport(kdcHostname, kdcPort);
	kdcServer.addTransports(udp);
	kdcServer.setDirectoryService(directoryService);
	kdcServer.start();
	}

	/**
	* @return The Apache DS Kerberos server port.
	* @throws IllegalArgumentException If server or respective transport are not initialized
	*/
	public int getPort() throws IllegalArgumentException {
	if (kdcServer == null) {
	throw new IllegalStateException("Kerberos server is not initialized");
	}

	Transport[] transports = kdcServer.getTransports();
	if (transports == null \|\| transports.length == 0) {
	throw new IllegalStateException("Kerberos server does not configure any transports");
	}

	for (Transport transport : transports) {
	if (transport instanceof UdpTransport) {
	return transport.getPort();
	}
	}

	throw new IllegalStateException(
	String.format("Cannot identify Kerberos server port. List of transports does not contain an %s instance",
	UdpTransport.class.getName()));
	}

	@Override
	protected void after() {
	log.info("Stop called");
	try {
	if (directoryService != null) {
	try {
	directoryService.shutdown();
	} catch (Exception ex) {
	log.error("Failed to stop server", ex);
	} finally {
	try {
	FileUtils.deleteDirectory(workDir);
	}
	catch (IOException e) {
	log.error("Failed to delete Apache DS working directory: " + workDir.getAbsolutePath() , e);
	}
	}
	directoryService = null;
	}
	}
	finally {
	if (kdcServer != null) {
	kdcServer.stop();
	kdcServer = null;
	}

	if (provider != null) {
	//restore BC position
	Security.removeProvider("BC");
	Security.insertProviderAt(provider, providerPos);
	}
	}
	}
	}