// dynamic configuration of HTTP principals
/// <exception cref="System.Exception"/>
public virtual void TestDynamicPrincipalDiscovery()
{
string[] keytabUsers = new string[] { "HTTP/host1", "HTTP/host2", "HTTP2/host1",
"XHTTP/host" };
string keytab = KerberosTestUtils.GetKeytabFile();
GetKdc().CreatePrincipal(new FilePath(keytab), keytabUsers);
// destroy handler created in setUp()
handler.Destroy();
Properties props = new Properties();
props.SetProperty(KerberosAuthenticationHandler.Keytab, keytab);
props.SetProperty(KerberosAuthenticationHandler.Principal, "*");
handler = GetNewAuthenticationHandler();
handler.Init(props);
Assert.Equal(KerberosTestUtils.GetKeytabFile(), handler.GetKeytab
());
ICollection <KerberosPrincipal> loginPrincipals = handler.GetPrincipals();
foreach (string user in keytabUsers)
{
Principal principal = new KerberosPrincipal(user + "@" + KerberosTestUtils.GetRealm
());
bool expected = user.StartsWith("HTTP/");
Assert.Equal("checking for " + user, expected, loginPrincipals
.Contains(principal));
}
}
internal virtual string GetServerPrincipal(RpcHeaderProtos.RpcSaslProto.SaslAuth
authType)
{
KerberosInfo krbInfo = SecurityUtil.GetKerberosInfo(protocol, conf);
Log.Debug("Get kerberos info proto:" + protocol + " info:" + krbInfo);
if (krbInfo == null)
{
// protocol has no support for kerberos
return(null);
}
string serverKey = krbInfo.ServerPrincipal();
if (serverKey == null)
{
throw new ArgumentException("Can't obtain server Kerberos config key from protocol="
+ protocol.GetCanonicalName());
}
// construct server advertised principal for comparision
string serverPrincipal = new KerberosPrincipal(authType.GetProtocol() + "/" + authType
.GetServerId(), KerberosPrincipal.KrbNtSrvHst).GetName();
bool isPrincipalValid = false;
// use the pattern if defined
string serverKeyPattern = conf.Get(serverKey + ".pattern");
if (serverKeyPattern != null && !serverKeyPattern.IsEmpty())
{
Pattern pattern = GlobPattern.Compile(serverKeyPattern);
isPrincipalValid = pattern.Matcher(serverPrincipal).Matches();
}
else
{
// check that the server advertised principal matches our conf
string confPrincipal = SecurityUtil.GetServerPrincipal(conf.Get(serverKey), serverAddr
.Address);
if (Log.IsDebugEnabled())
{
Log.Debug("getting serverKey: " + serverKey + " conf value: " + conf.Get(serverKey
) + " principal: " + confPrincipal);
}
if (confPrincipal == null || confPrincipal.IsEmpty())
{
throw new ArgumentException("Failed to specify server's Kerberos principal name");
}
KerberosName name = new KerberosName(confPrincipal);
if (name.GetHostName() == null)
{
throw new ArgumentException("Kerberos principal name does NOT have the expected hostname part: "
+ confPrincipal);
}
isPrincipalValid = serverPrincipal.Equals(confPrincipal);
}
if (!isPrincipalValid)
{
throw new ArgumentException("Server has invalid Kerberos principal: " + serverPrincipal
);
}
return(serverPrincipal);
}
/// <exception cref="System.Exception"/>
public virtual void TestGetUGIFromSubject()
{
KerberosPrincipal p = new KerberosPrincipal("guest");
Subject subject = new Subject();
subject.GetPrincipals().AddItem(p);
UserGroupInformation ugi = UserGroupInformation.GetUGIFromSubject(subject);
NUnit.Framework.Assert.IsNotNull(ugi);
Assert.Equal("*****@*****.**", ugi.GetUserName());
}
/// <exception cref="System.Exception"/>
public virtual void TestInit()
{
Assert.Equal(KerberosTestUtils.GetKeytabFile(), handler.GetKeytab
());
ICollection <KerberosPrincipal> principals = handler.GetPrincipals();
Principal expectedPrincipal = new KerberosPrincipal(KerberosTestUtils.GetServerPrincipal
());
Assert.True(principals.Contains(expectedPrincipal));
Assert.Equal(1, principals.Count);
}
/// <summary>TGS must have the server principal of the form "krbtgt/FOO@FOO".</summary>
/// <param name="principal"/>
/// <returns>true or false</returns>
internal static bool IsTGSPrincipal(KerberosPrincipal principal)
{
if (principal == null)
{
return(false);
}
if (principal.GetName().Equals("krbtgt/" + principal.GetRealm() + "@" + principal
.GetRealm()))
{
return(true);
}
return(false);
}
