public void RegisterHandlerInvalidLow()
{
var kdc = new KdcServer(new KdcServerOptions {
});
kdc.RegisterMessageHandler((MessageType)9, null);
}
public async Task ParseKdcProxyMessage_WithoutLength()
{
var req = KrbAsReq.CreateAsReq(
new KerberosPasswordCredential("*****@*****.**", "P@ssw0rd!"),
0
).EncodeApplication();
var domain = "corp.identityintervention.com";
var hint = DcLocatorHint.DS_AVOID_SELF;
var message = KdcProxyMessage.WrapMessage(req, domain, hint, mode: KdcProxyMessageMode.NoPrefix);
var kdc = new KdcServer(new KdcServerOptions {
RealmLocator = realm => new FakeRealmService(realm)
});
var response = await kdc.ProcessMessage(message.Encode());
Assert.IsTrue(response.Length > 0);
Assert.IsFalse(KrbError.CanDecode(response));
var proxy = KdcProxyMessage.Decode(response);
var preAuthReq = KrbError.DecodeApplication(proxy.UnwrapMessage(out KdcProxyMessageMode mode));
Assert.AreEqual(KdcProxyMessageMode.NoPrefix, mode);
Assert.AreEqual(KerberosErrorCode.KDC_ERR_PREAUTH_REQUIRED, preAuthReq.ErrorCode);
}
public static KdcListener StartListener(
int port,
bool slow = false,
bool allowWeakCrypto = false,
string realm = "corp2.identityintervention.com"
)
{
KdcServerOptions options = null;
options = new KdcServerOptions
{
DefaultRealm = realm.ToUpper(CultureInfo.InvariantCulture),
IsDebug = true,
RealmLocator = realm => LocateRealm(realm, slow, options.Configuration)
};
options.Configuration.Defaults.AllowWeakCrypto = allowWeakCrypto;
options.Configuration.KdcDefaults.ReceiveTimeout = TimeSpan.FromHours(1);
options.Configuration.KdcDefaults.KdcTcpListenEndpoints.Clear();
options.Configuration.KdcDefaults.KdcTcpListenEndpoints.Add($"127.0.0.1:{port}");
var server = new KdcServer(options);
server.RegisterPreAuthHandler(
PaDataType.PA_PK_AS_REQ,
service => new PaDataPkAsReqHandler(service)
{
IncludeOption = X509IncludeOption.EndCertOnly
}
);
return(new KdcListener(server));
}
public void TestRegisterHandlerInvalidHigh()
{
var kdc = new KdcServer(new ListenerOptions {
});
kdc.RegisterMessageHandler((MessageType)123, null);
}
public async Task KdcTagPeekFailureApplication()
{
var kdc = new KdcServer(new KdcServerOptions {
DefaultRealm = "domain.com", IsDebug = true, Log = new FakeExceptionLoggerFactory()
});
var checksum = new KrbChecksum {
};
var response = await kdc.ProcessMessage(checksum.Encode());
var err = KrbError.DecodeApplication(response);
Assert.IsNotNull(err);
Assert.AreEqual(KerberosErrorCode.KRB_ERR_GENERIC, err.ErrorCode);
}
public async Task KdcTagPeekFailureUnknownHandler()
{
var kdc = new KdcServer(new KdcServerOptions {
DefaultRealm = "domain.com", IsDebug = true
});
var krbCred = new KrbCred {
Tickets = Array.Empty <KrbTicket>()
};
var response = await kdc.ProcessMessage(krbCred.EncodeApplication());
var err = KrbError.DecodeApplication(response);
Assert.IsNotNull(err);
Assert.AreEqual(KerberosErrorCode.KRB_ERR_GENERIC, err.ErrorCode);
Assert.IsTrue(err.EText.Contains("doesn't have a message handler registered"));
}
public async Task TestKdcTagPeekFailureUnknownHandler()
{
var kdc = new KdcServer(new ListenerOptions {
DefaultRealm = "domain.com", IsDebug = true
});
var aprepPart = new KrbEncApRepPart {
};
ReadOnlySequence <byte> request = new ReadOnlySequence <byte>(aprepPart.EncodeApplication().ToArray());
var response = await kdc.ProcessMessage(request);
var err = KrbError.DecodeApplication(response);
Assert.IsNotNull(err);
Assert.AreEqual(KerberosErrorCode.KRB_ERR_GENERIC, err.ErrorCode);
Assert.IsTrue(err.EText.Contains("doesn't have a message handler registered"));
}
public async Task TestKdcTagPeekFailureApplication()
{
var kdc = new KdcServer(new ListenerOptions {
DefaultRealm = "domain.com", IsDebug = true, Log = new ValidatorTests.TestLogger()
});
var checksum = new KrbChecksum {
};
ReadOnlySequence <byte> request = new ReadOnlySequence <byte>(checksum.Encode().ToArray());
var response = await kdc.ProcessMessage(request);
var err = KrbError.DecodeApplication(response);
Assert.IsNotNull(err);
Assert.AreEqual(KerberosErrorCode.KRB_ERR_GENERIC, err.ErrorCode);
Assert.IsTrue(err.EText.Contains("Unknown incoming tag"));
}
public async Task KdcTagPeekFailureNullBuilder()
{
var kdc = new KdcServer(new KdcServerOptions {
DefaultRealm = "domain.com", IsDebug = true
});
kdc.RegisterMessageHandler(MessageType.KRB_CRED, (b, o) => null);
var krbCred = new KrbCred {
Tickets = Array.Empty <KrbTicket>()
};
var response = await kdc.ProcessMessage(krbCred.EncodeApplication());
var err = KrbError.DecodeApplication(response);
Assert.IsNotNull(err);
Assert.AreEqual(KerberosErrorCode.KRB_ERR_GENERIC, err.ErrorCode);
Assert.IsTrue(err.EText.Contains("Message handler builder KRB_CRED must not return null"));
}
public async Task TestKdcTagPeekFailureNullBuilder()
{
var kdc = new KdcServer(new ListenerOptions {
DefaultRealm = "domain.com", IsDebug = true
});
kdc.RegisterMessageHandler((MessageType)27, (b, o) => null);
var aprepPart = new KrbEncApRepPart {
};
ReadOnlySequence <byte> request = new ReadOnlySequence <byte>(aprepPart.EncodeApplication().ToArray());
var response = await kdc.ProcessMessage(request);
var err = KrbError.DecodeApplication(response);
Assert.IsNotNull(err);
Assert.AreEqual(KerberosErrorCode.KRB_ERR_GENERIC, err.ErrorCode);
Assert.IsTrue(err.EText.Contains("Message handler builder 27 must not return null"));
}
public static KdcListener StartListener(int port, bool slow = false)
{
var options = new KdcServerOptions
{
ListeningOn = new IPEndPoint(IPAddress.Loopback, port),
DefaultRealm = "corp2.identityintervention.com".ToUpper(CultureInfo.InvariantCulture),
IsDebug = true,
RealmLocator = realm => LocateRealm(realm, slow),
ReceiveTimeout = TimeSpan.FromHours(1)
};
var server = new KdcServer(options);
server.RegisterPreAuthHandler(
PaDataType.PA_PK_AS_REQ,
service => new PaDataPkAsReqHandler(service)
{
IncludeOption = X509IncludeOption.EndCertOnly
}
);
return(new KdcListener(server));
}
public async Task ParseKdcProxyMessage()
{
var req = KrbAsReq.CreateAsReq(
new KerberosPasswordCredential("*****@*****.**", "P@ssw0rd!"),
0
).EncodeApplication();
var domain = "corp.identityintervention.com";
var hint = DcLocatorHint.DS_AVOID_SELF;
var messageBytes = new Memory <byte>(new byte[req.Length + 4]);
Endian.ConvertToBigEndian(req.Length, messageBytes.Slice(0, 4));
req.CopyTo(messageBytes.Slice(4, req.Length));
var message = new KdcProxyMessage
{
TargetDomain = domain,
KerbMessage = messageBytes,
DcLocatorHint = hint
};
var kdc = new KdcServer(new ListenerOptions {
RealmLocator = LocateFakeRealm
});
var response = await kdc.ProcessMessage(new ReadOnlySequence <byte>(message.Encode()));
Assert.IsTrue(response.Length > 0);
Assert.IsFalse(KrbError.CanDecode(response));
var proxy = KdcProxyMessage.Decode(response);
var preAuthReq = KrbError.DecodeApplication(proxy.UnwrapMessage());
Assert.AreEqual(KerberosErrorCode.KDC_ERR_PREAUTH_REQUIRED, preAuthReq.ErrorCode);
}
private KdcListener(KdcServer server)
{
this.server = server;
}
public FakeKdcServer(KdcServerOptions serverOptions)
{
_kdcServer = new KdcServer(serverOptions);
_tcpListener = new TcpListener(System.Net.IPAddress.Loopback, 0);
_runningLock = new object();
}
/// <exception cref="System.Exception"/>
private void InitKDCServer()
{
string orgName = conf.GetProperty(OrgName);
string orgDomain = conf.GetProperty(OrgDomain);
string bindAddress = conf.GetProperty(KdcBindAddress);
IDictionary <string, string> map = new Dictionary <string, string>();
map["0"] = orgName.ToLower(Extensions.GetEnglishCulture());
map["1"] = orgDomain.ToLower(Extensions.GetEnglishCulture());
map["2"] = orgName.ToUpper(Extensions.GetEnglishCulture());
map["3"] = orgDomain.ToUpper(Extensions.GetEnglishCulture());
map["4"] = bindAddress;
ClassLoader cl = Thread.CurrentThread().GetContextClassLoader();
InputStream is1 = cl.GetResourceAsStream("minikdc.ldiff");
SchemaManager schemaManager = ds.GetSchemaManager();
LdifReader reader = null;
try
{
string content = StrSubstitutor.Replace(IOUtils.ToString(is1), map);
reader = new LdifReader(new StringReader(content));
foreach (LdifEntry ldifEntry in reader)
{
ds.GetAdminSession().Add(new DefaultEntry(schemaManager, ldifEntry.GetEntry()));
}
}
finally
{
IOUtils.CloseQuietly(reader);
IOUtils.CloseQuietly(is1);
}
KerberosConfig kerberosConfig = new KerberosConfig();
kerberosConfig.SetMaximumRenewableLifetime(long.Parse(conf.GetProperty(MaxRenewableLifetime
)));
kerberosConfig.SetMaximumTicketLifetime(long.Parse(conf.GetProperty(MaxTicketLifetime
)));
kerberosConfig.SetSearchBaseDn(string.Format("dc=%s,dc=%s", orgName, orgDomain));
kerberosConfig.SetPaEncTimestampRequired(false);
//kdc = new KdcServer(kerberosConfig);
kdc = new KdcServer();
kdc.SetDirectoryService(ds);
// transport
string transport = conf.GetProperty(Transport);
if (transport.Trim().Equals("TCP"))
{
kdc.AddTransports(new TcpTransport(bindAddress, port, 3, 50));
}
else
{
if (transport.Trim().Equals("UDP"))
{
kdc.AddTransports(new UdpTransport(port));
}
else
{
throw new ArgumentException("Invalid transport: " + transport);
}
}
kdc.SetServiceName(conf.GetProperty(Instance));
kdc.Start();
StringBuilder sb = new StringBuilder();
InputStream is2 = cl.GetResourceAsStream("minikdc-krb5.conf");
BufferedReader r = null;
try
{
r = new BufferedReader(new InputStreamReader(is2, Charsets.Utf8));
string line = r.ReadLine();
while (line != null)
{
sb.Append(line).Append("{3}");
line = r.ReadLine();
}
}
finally
{
IOUtils.CloseQuietly(r);
IOUtils.CloseQuietly(is2);
}
krb5conf = new FilePath(workDir, "krb5.conf").GetAbsoluteFile();
FileUtils.WriteStringToFile(krb5conf, MessageFormat.Format(sb.ToString(), GetRealm
(), GetHost(), Extensions.ToString(GetPort()), Runtime.GetProperty("line.separator"
)));
Runtime.SetProperty(JavaSecurityKrb5Conf, krb5conf.GetAbsolutePath());
Runtime.SetProperty(SunSecurityKrb5Debug, conf.GetProperty(Debug, "false"));
// refresh the config
Type classRef;
if (Runtime.GetProperty("java.vendor").Contains("IBM"))
{
classRef = Runtime.GetType("com.ibm.security.krb5.internal.Config");
}
else
{
classRef = Runtime.GetType("sun.security.krb5.Config");
}
MethodInfo refreshMethod = classRef.GetMethod("refresh", new Type[0]);
refreshMethod.Invoke(classRef, new object[0]);
Log.Info("MiniKdc listening at port: {}", GetPort());
Log.Info("MiniKdc setting JVM krb5.conf to: {}", krb5conf.GetAbsolutePath());
}
