public void RegisterHandlerInvalidLow() { var kdc = new KdcServer(new KdcServerOptions { }); kdc.RegisterMessageHandler((MessageType)9, null); }
public async Task ParseKdcProxyMessage_WithoutLength() { var req = KrbAsReq.CreateAsReq( new KerberosPasswordCredential("*****@*****.**", "P@ssw0rd!"), 0 ).EncodeApplication(); var domain = "corp.identityintervention.com"; var hint = DcLocatorHint.DS_AVOID_SELF; var message = KdcProxyMessage.WrapMessage(req, domain, hint, mode: KdcProxyMessageMode.NoPrefix); var kdc = new KdcServer(new KdcServerOptions { RealmLocator = realm => new FakeRealmService(realm) }); var response = await kdc.ProcessMessage(message.Encode()); Assert.IsTrue(response.Length > 0); Assert.IsFalse(KrbError.CanDecode(response)); var proxy = KdcProxyMessage.Decode(response); var preAuthReq = KrbError.DecodeApplication(proxy.UnwrapMessage(out KdcProxyMessageMode mode)); Assert.AreEqual(KdcProxyMessageMode.NoPrefix, mode); Assert.AreEqual(KerberosErrorCode.KDC_ERR_PREAUTH_REQUIRED, preAuthReq.ErrorCode); }
public static KdcListener StartListener( int port, bool slow = false, bool allowWeakCrypto = false, string realm = "corp2.identityintervention.com" ) { KdcServerOptions options = null; options = new KdcServerOptions { DefaultRealm = realm.ToUpper(CultureInfo.InvariantCulture), IsDebug = true, RealmLocator = realm => LocateRealm(realm, slow, options.Configuration) }; options.Configuration.Defaults.AllowWeakCrypto = allowWeakCrypto; options.Configuration.KdcDefaults.ReceiveTimeout = TimeSpan.FromHours(1); options.Configuration.KdcDefaults.KdcTcpListenEndpoints.Clear(); options.Configuration.KdcDefaults.KdcTcpListenEndpoints.Add($"127.0.0.1:{port}"); var server = new KdcServer(options); server.RegisterPreAuthHandler( PaDataType.PA_PK_AS_REQ, service => new PaDataPkAsReqHandler(service) { IncludeOption = X509IncludeOption.EndCertOnly } ); return(new KdcListener(server)); }
public void TestRegisterHandlerInvalidHigh() { var kdc = new KdcServer(new ListenerOptions { }); kdc.RegisterMessageHandler((MessageType)123, null); }
public async Task KdcTagPeekFailureApplication() { var kdc = new KdcServer(new KdcServerOptions { DefaultRealm = "domain.com", IsDebug = true, Log = new FakeExceptionLoggerFactory() }); var checksum = new KrbChecksum { }; var response = await kdc.ProcessMessage(checksum.Encode()); var err = KrbError.DecodeApplication(response); Assert.IsNotNull(err); Assert.AreEqual(KerberosErrorCode.KRB_ERR_GENERIC, err.ErrorCode); }
public async Task KdcTagPeekFailureUnknownHandler() { var kdc = new KdcServer(new KdcServerOptions { DefaultRealm = "domain.com", IsDebug = true }); var krbCred = new KrbCred { Tickets = Array.Empty <KrbTicket>() }; var response = await kdc.ProcessMessage(krbCred.EncodeApplication()); var err = KrbError.DecodeApplication(response); Assert.IsNotNull(err); Assert.AreEqual(KerberosErrorCode.KRB_ERR_GENERIC, err.ErrorCode); Assert.IsTrue(err.EText.Contains("doesn't have a message handler registered")); }
public async Task TestKdcTagPeekFailureUnknownHandler() { var kdc = new KdcServer(new ListenerOptions { DefaultRealm = "domain.com", IsDebug = true }); var aprepPart = new KrbEncApRepPart { }; ReadOnlySequence <byte> request = new ReadOnlySequence <byte>(aprepPart.EncodeApplication().ToArray()); var response = await kdc.ProcessMessage(request); var err = KrbError.DecodeApplication(response); Assert.IsNotNull(err); Assert.AreEqual(KerberosErrorCode.KRB_ERR_GENERIC, err.ErrorCode); Assert.IsTrue(err.EText.Contains("doesn't have a message handler registered")); }
public async Task TestKdcTagPeekFailureApplication() { var kdc = new KdcServer(new ListenerOptions { DefaultRealm = "domain.com", IsDebug = true, Log = new ValidatorTests.TestLogger() }); var checksum = new KrbChecksum { }; ReadOnlySequence <byte> request = new ReadOnlySequence <byte>(checksum.Encode().ToArray()); var response = await kdc.ProcessMessage(request); var err = KrbError.DecodeApplication(response); Assert.IsNotNull(err); Assert.AreEqual(KerberosErrorCode.KRB_ERR_GENERIC, err.ErrorCode); Assert.IsTrue(err.EText.Contains("Unknown incoming tag")); }
public async Task KdcTagPeekFailureNullBuilder() { var kdc = new KdcServer(new KdcServerOptions { DefaultRealm = "domain.com", IsDebug = true }); kdc.RegisterMessageHandler(MessageType.KRB_CRED, (b, o) => null); var krbCred = new KrbCred { Tickets = Array.Empty <KrbTicket>() }; var response = await kdc.ProcessMessage(krbCred.EncodeApplication()); var err = KrbError.DecodeApplication(response); Assert.IsNotNull(err); Assert.AreEqual(KerberosErrorCode.KRB_ERR_GENERIC, err.ErrorCode); Assert.IsTrue(err.EText.Contains("Message handler builder KRB_CRED must not return null")); }
public async Task TestKdcTagPeekFailureNullBuilder() { var kdc = new KdcServer(new ListenerOptions { DefaultRealm = "domain.com", IsDebug = true }); kdc.RegisterMessageHandler((MessageType)27, (b, o) => null); var aprepPart = new KrbEncApRepPart { }; ReadOnlySequence <byte> request = new ReadOnlySequence <byte>(aprepPart.EncodeApplication().ToArray()); var response = await kdc.ProcessMessage(request); var err = KrbError.DecodeApplication(response); Assert.IsNotNull(err); Assert.AreEqual(KerberosErrorCode.KRB_ERR_GENERIC, err.ErrorCode); Assert.IsTrue(err.EText.Contains("Message handler builder 27 must not return null")); }
public static KdcListener StartListener(int port, bool slow = false) { var options = new KdcServerOptions { ListeningOn = new IPEndPoint(IPAddress.Loopback, port), DefaultRealm = "corp2.identityintervention.com".ToUpper(CultureInfo.InvariantCulture), IsDebug = true, RealmLocator = realm => LocateRealm(realm, slow), ReceiveTimeout = TimeSpan.FromHours(1) }; var server = new KdcServer(options); server.RegisterPreAuthHandler( PaDataType.PA_PK_AS_REQ, service => new PaDataPkAsReqHandler(service) { IncludeOption = X509IncludeOption.EndCertOnly } ); return(new KdcListener(server)); }
public async Task ParseKdcProxyMessage() { var req = KrbAsReq.CreateAsReq( new KerberosPasswordCredential("*****@*****.**", "P@ssw0rd!"), 0 ).EncodeApplication(); var domain = "corp.identityintervention.com"; var hint = DcLocatorHint.DS_AVOID_SELF; var messageBytes = new Memory <byte>(new byte[req.Length + 4]); Endian.ConvertToBigEndian(req.Length, messageBytes.Slice(0, 4)); req.CopyTo(messageBytes.Slice(4, req.Length)); var message = new KdcProxyMessage { TargetDomain = domain, KerbMessage = messageBytes, DcLocatorHint = hint }; var kdc = new KdcServer(new ListenerOptions { RealmLocator = LocateFakeRealm }); var response = await kdc.ProcessMessage(new ReadOnlySequence <byte>(message.Encode())); Assert.IsTrue(response.Length > 0); Assert.IsFalse(KrbError.CanDecode(response)); var proxy = KdcProxyMessage.Decode(response); var preAuthReq = KrbError.DecodeApplication(proxy.UnwrapMessage()); Assert.AreEqual(KerberosErrorCode.KDC_ERR_PREAUTH_REQUIRED, preAuthReq.ErrorCode); }
private KdcListener(KdcServer server) { this.server = server; }
public FakeKdcServer(KdcServerOptions serverOptions) { _kdcServer = new KdcServer(serverOptions); _tcpListener = new TcpListener(System.Net.IPAddress.Loopback, 0); _runningLock = new object(); }
/// <exception cref="System.Exception"/> private void InitKDCServer() { string orgName = conf.GetProperty(OrgName); string orgDomain = conf.GetProperty(OrgDomain); string bindAddress = conf.GetProperty(KdcBindAddress); IDictionary <string, string> map = new Dictionary <string, string>(); map["0"] = orgName.ToLower(Extensions.GetEnglishCulture()); map["1"] = orgDomain.ToLower(Extensions.GetEnglishCulture()); map["2"] = orgName.ToUpper(Extensions.GetEnglishCulture()); map["3"] = orgDomain.ToUpper(Extensions.GetEnglishCulture()); map["4"] = bindAddress; ClassLoader cl = Thread.CurrentThread().GetContextClassLoader(); InputStream is1 = cl.GetResourceAsStream("minikdc.ldiff"); SchemaManager schemaManager = ds.GetSchemaManager(); LdifReader reader = null; try { string content = StrSubstitutor.Replace(IOUtils.ToString(is1), map); reader = new LdifReader(new StringReader(content)); foreach (LdifEntry ldifEntry in reader) { ds.GetAdminSession().Add(new DefaultEntry(schemaManager, ldifEntry.GetEntry())); } } finally { IOUtils.CloseQuietly(reader); IOUtils.CloseQuietly(is1); } KerberosConfig kerberosConfig = new KerberosConfig(); kerberosConfig.SetMaximumRenewableLifetime(long.Parse(conf.GetProperty(MaxRenewableLifetime ))); kerberosConfig.SetMaximumTicketLifetime(long.Parse(conf.GetProperty(MaxTicketLifetime ))); kerberosConfig.SetSearchBaseDn(string.Format("dc=%s,dc=%s", orgName, orgDomain)); kerberosConfig.SetPaEncTimestampRequired(false); //kdc = new KdcServer(kerberosConfig); kdc = new KdcServer(); kdc.SetDirectoryService(ds); // transport string transport = conf.GetProperty(Transport); if (transport.Trim().Equals("TCP")) { kdc.AddTransports(new TcpTransport(bindAddress, port, 3, 50)); } else { if (transport.Trim().Equals("UDP")) { kdc.AddTransports(new UdpTransport(port)); } else { throw new ArgumentException("Invalid transport: " + transport); } } kdc.SetServiceName(conf.GetProperty(Instance)); kdc.Start(); StringBuilder sb = new StringBuilder(); InputStream is2 = cl.GetResourceAsStream("minikdc-krb5.conf"); BufferedReader r = null; try { r = new BufferedReader(new InputStreamReader(is2, Charsets.Utf8)); string line = r.ReadLine(); while (line != null) { sb.Append(line).Append("{3}"); line = r.ReadLine(); } } finally { IOUtils.CloseQuietly(r); IOUtils.CloseQuietly(is2); } krb5conf = new FilePath(workDir, "krb5.conf").GetAbsoluteFile(); FileUtils.WriteStringToFile(krb5conf, MessageFormat.Format(sb.ToString(), GetRealm (), GetHost(), Extensions.ToString(GetPort()), Runtime.GetProperty("line.separator" ))); Runtime.SetProperty(JavaSecurityKrb5Conf, krb5conf.GetAbsolutePath()); Runtime.SetProperty(SunSecurityKrb5Debug, conf.GetProperty(Debug, "false")); // refresh the config Type classRef; if (Runtime.GetProperty("java.vendor").Contains("IBM")) { classRef = Runtime.GetType("com.ibm.security.krb5.internal.Config"); } else { classRef = Runtime.GetType("sun.security.krb5.Config"); } MethodInfo refreshMethod = classRef.GetMethod("refresh", new Type[0]); refreshMethod.Invoke(classRef, new object[0]); Log.Info("MiniKdc listening at port: {}", GetPort()); Log.Info("MiniKdc setting JVM krb5.conf to: {}", krb5conf.GetAbsolutePath()); }