public async Task ParseKdcProxyMessage_WithoutLength()
{
var req = KrbAsReq.CreateAsReq(
new KerberosPasswordCredential("*****@*****.**", "P@ssw0rd!"),
0
).EncodeApplication();
var domain = "corp.identityintervention.com";
var hint = DcLocatorHint.DS_AVOID_SELF;
var message = KdcProxyMessage.WrapMessage(req, domain, hint, mode: KdcProxyMessageMode.NoPrefix);
var kdc = new KdcServer(new KdcServerOptions {
RealmLocator = realm => new FakeRealmService(realm)
});
var response = await kdc.ProcessMessage(message.Encode());
Assert.IsTrue(response.Length > 0);
Assert.IsFalse(KrbError.CanDecode(response));
var proxy = KdcProxyMessage.Decode(response);
var preAuthReq = KrbError.DecodeApplication(proxy.UnwrapMessage(out KdcProxyMessageMode mode));
Assert.AreEqual(KdcProxyMessageMode.NoPrefix, mode);
Assert.AreEqual(KerberosErrorCode.KDC_ERR_PREAUTH_REQUIRED, preAuthReq.ErrorCode);
}
public async Task KdcTagPeekFailureApplication()
{
var kdc = new KdcServer(new KdcServerOptions {
DefaultRealm = "domain.com", IsDebug = true, Log = new FakeExceptionLoggerFactory()
});
var checksum = new KrbChecksum {
};
var response = await kdc.ProcessMessage(checksum.Encode());
var err = KrbError.DecodeApplication(response);
Assert.IsNotNull(err);
Assert.AreEqual(KerberosErrorCode.KRB_ERR_GENERIC, err.ErrorCode);
}
public Task <IPEndPoint> Start()
{
_cancellationTokenSource = new CancellationTokenSource();
_running = true;
_tcpListener.Start();
var cancellationToken = _cancellationTokenSource.Token;
Task.Run(async() => {
try
{
byte[] sizeBuffer = new byte[4];
do
{
using var socket = await _tcpListener.AcceptSocketAsync(cancellationToken);
using var socketStream = new NetworkStream(socket);
await socketStream.ReadExactlyAsync(sizeBuffer, cancellationToken);
var messageSize = BinaryPrimitives.ReadInt32BigEndian(sizeBuffer);
var requestRented = ArrayPool <byte> .Shared.Rent(messageSize);
var request = requestRented.AsMemory(0, messageSize);
await socketStream.ReadExactlyAsync(request);
var response = await _kdcServer.ProcessMessage(request);
ArrayPool <byte> .Shared.Return(requestRented);
var responseLength = response.Length + 4;
var responseRented = ArrayPool <byte> .Shared.Rent(responseLength);
BinaryPrimitives.WriteInt32BigEndian(responseRented.AsSpan(0, 4), responseLength);
response.CopyTo(responseRented.AsMemory(4, responseLength));
await socketStream.WriteAsync(responseRented.AsMemory(0, responseLength + 4), cancellationToken);
ArrayPool <byte> .Shared.Return(responseRented);
}while (!cancellationToken.IsCancellationRequested);
}
finally
{
lock (_runningLock)
{
_running = false;
Monitor.Pulse(_runningLock);
}
}
});
return(Task.FromResult((IPEndPoint)_tcpListener.LocalEndpoint));
}
public async Task KdcTagPeekFailureUnknownHandler()
{
var kdc = new KdcServer(new KdcServerOptions {
DefaultRealm = "domain.com", IsDebug = true
});
var krbCred = new KrbCred {
Tickets = Array.Empty <KrbTicket>()
};
var response = await kdc.ProcessMessage(krbCred.EncodeApplication());
var err = KrbError.DecodeApplication(response);
Assert.IsNotNull(err);
Assert.AreEqual(KerberosErrorCode.KRB_ERR_GENERIC, err.ErrorCode);
Assert.IsTrue(err.EText.Contains("doesn't have a message handler registered"));
}
public async Task TestKdcTagPeekFailureUnknownHandler()
{
var kdc = new KdcServer(new ListenerOptions {
DefaultRealm = "domain.com", IsDebug = true
});
var aprepPart = new KrbEncApRepPart {
};
ReadOnlySequence <byte> request = new ReadOnlySequence <byte>(aprepPart.EncodeApplication().ToArray());
var response = await kdc.ProcessMessage(request);
var err = KrbError.DecodeApplication(response);
Assert.IsNotNull(err);
Assert.AreEqual(KerberosErrorCode.KRB_ERR_GENERIC, err.ErrorCode);
Assert.IsTrue(err.EText.Contains("doesn't have a message handler registered"));
}
public async Task TestKdcTagPeekFailureApplication()
{
var kdc = new KdcServer(new ListenerOptions {
DefaultRealm = "domain.com", IsDebug = true, Log = new ValidatorTests.TestLogger()
});
var checksum = new KrbChecksum {
};
ReadOnlySequence <byte> request = new ReadOnlySequence <byte>(checksum.Encode().ToArray());
var response = await kdc.ProcessMessage(request);
var err = KrbError.DecodeApplication(response);
Assert.IsNotNull(err);
Assert.AreEqual(KerberosErrorCode.KRB_ERR_GENERIC, err.ErrorCode);
Assert.IsTrue(err.EText.Contains("Unknown incoming tag"));
}
public async Task KdcTagPeekFailureNullBuilder()
{
var kdc = new KdcServer(new KdcServerOptions {
DefaultRealm = "domain.com", IsDebug = true
});
kdc.RegisterMessageHandler(MessageType.KRB_CRED, (b, o) => null);
var krbCred = new KrbCred {
Tickets = Array.Empty <KrbTicket>()
};
var response = await kdc.ProcessMessage(krbCred.EncodeApplication());
var err = KrbError.DecodeApplication(response);
Assert.IsNotNull(err);
Assert.AreEqual(KerberosErrorCode.KRB_ERR_GENERIC, err.ErrorCode);
Assert.IsTrue(err.EText.Contains("Message handler builder KRB_CRED must not return null"));
}
public async Task TestKdcTagPeekFailureNullBuilder()
{
var kdc = new KdcServer(new ListenerOptions {
DefaultRealm = "domain.com", IsDebug = true
});
kdc.RegisterMessageHandler((MessageType)27, (b, o) => null);
var aprepPart = new KrbEncApRepPart {
};
ReadOnlySequence <byte> request = new ReadOnlySequence <byte>(aprepPart.EncodeApplication().ToArray());
var response = await kdc.ProcessMessage(request);
var err = KrbError.DecodeApplication(response);
Assert.IsNotNull(err);
Assert.AreEqual(KerberosErrorCode.KRB_ERR_GENERIC, err.ErrorCode);
Assert.IsTrue(err.EText.Contains("Message handler builder 27 must not return null"));
}
public async Task ParseKdcProxyMessage()
{
var req = KrbAsReq.CreateAsReq(
new KerberosPasswordCredential("*****@*****.**", "P@ssw0rd!"),
0
).EncodeApplication();
var domain = "corp.identityintervention.com";
var hint = DcLocatorHint.DS_AVOID_SELF;
var messageBytes = new Memory <byte>(new byte[req.Length + 4]);
Endian.ConvertToBigEndian(req.Length, messageBytes.Slice(0, 4));
req.CopyTo(messageBytes.Slice(4, req.Length));
var message = new KdcProxyMessage
{
TargetDomain = domain,
KerbMessage = messageBytes,
DcLocatorHint = hint
};
var kdc = new KdcServer(new ListenerOptions {
RealmLocator = LocateFakeRealm
});
var response = await kdc.ProcessMessage(new ReadOnlySequence <byte>(message.Encode()));
Assert.IsTrue(response.Length > 0);
Assert.IsFalse(KrbError.CanDecode(response));
var proxy = KdcProxyMessage.Decode(response);
var preAuthReq = KrbError.DecodeApplication(proxy.UnwrapMessage());
Assert.AreEqual(KerberosErrorCode.KDC_ERR_PREAUTH_REQUIRED, preAuthReq.ErrorCode);
}
internal async Task <ReadOnlyMemory <byte> > Receive(ReadOnlyMemory <byte> req)
{
return(await server.ProcessMessage(req));
}
