8075297: Tests for RFEs 4515853 and 4745056

Reviewed-by: weijun

jdk/test/sun/security/krb5/auto/BogusKDC.java

@@ -0,0 +1,118 @@
+/*
+ * Copyright (c) 2015, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+import java.io.File;
+import java.io.FileWriter;
+import java.io.IOException;
+import java.io.PrintWriter;
+import java.util.HashMap;
+import java.util.Map;
+import javax.security.auth.callback.CallbackHandler;
+import javax.security.auth.login.LoginContext;
+import javax.security.auth.login.LoginException;
+
+/*
+ * @test
+ * @bug 4515853 8075297
+ * @summary Checks that Kerberos client tries slave KDC
+ *          if master KDC is not responding
+ * @run main/othervm BogusKDC
+ */
+public class BogusKDC {
+
+    static final String TEST_SRC = System.getProperty("test.src", ".");
+    static final String HOST = "localhost";
+    static final String NOT_EXISTING_HOST = "not.existing.host";
+    static final String REALM = "TEST.REALM";
+    static final String USER = "USER";
+    static final String USER_PRINCIPAL = USER + "@" + REALM;
+    static final String USER_PASSWORD = "password";
+    static final String KRBTGT_PRINCIPAL = "krbtgt/" + REALM;
+    static final String KRB5_CONF = "krb5.conf";
+    static final int WRONG_KDC_PORT = 21;
+
+    static final String KRB5_CONF_TEMPLATE = ""
+            + "[libdefaults]\n"
+            + "default_realm = TEST.REALM\n"
+            + "max_retries = 1\n"
+            + "\n"
+            + "[realms]\n"
+            + "TEST.REALM = {\n"
+            + "    kdc = %s\n"
+            + "    kdc = localhost:%d\n"
+            + "}";
+
+    public static void main(String[] args) throws LoginException, IOException {
+        Map<String, String> principals = new HashMap<>();
+        principals.put(USER_PRINCIPAL, USER_PASSWORD);
+        principals.put(KRBTGT_PRINCIPAL, null);
+
+        System.setProperty("java.security.krb5.conf", KRB5_CONF);
+
+        // start a local KDC
+        KDC kdc = KDC.startKDC(HOST, KRB5_CONF, REALM, principals, null, null);
+
+        System.setProperty("java.security.auth.login.config",
+                TEST_SRC + File.separator + "refreshKrb5Config.jaas");
+
+        CallbackHandler handler = new Helper.UserPasswordHandler(
+                USER, USER_PASSWORD);
+
+        // create a krb5 config with non-existing host for master KDC,
+        // and wrong port for slave KDC
+        try (PrintWriter w = new PrintWriter(new FileWriter(KRB5_CONF))) {
+            w.write(String.format(KRB5_CONF_TEMPLATE,
+                    KDC.KDCNameService.NOT_EXISTING_HOST, WRONG_KDC_PORT));
+            w.flush();
+        }
+
+        // login with not-refreshable config
+        try {
+            new LoginContext("NotRefreshable", handler).login();
+            throw new RuntimeException("Expected exception not thrown");
+        } catch (LoginException le) {
+            System.out.println("Expected login failure: " + le);
+        }
+
+        // create a krb5 config with non-existing host for master KDC,
+        // but correct port for slave KDC
+        try (PrintWriter w = new PrintWriter(new FileWriter(KRB5_CONF))) {
+            w.write(String.format(KRB5_CONF_TEMPLATE,
+                    KDC.KDCNameService.NOT_EXISTING_HOST, kdc.getPort()));
+            w.flush();
+        }
+
+        // login with not-refreshable config
+        try {
+            new LoginContext("NotRefreshable", handler).login();
+            throw new RuntimeException("Expected exception not thrown");
+        } catch (LoginException le) {
+            System.out.println("Expected login failure: " + le);
+        }
+
+        // login with refreshable config
+        new LoginContext("Refreshable", handler).login();
+
+        System.out.println("Test passed");
+    }
+}

jdk/test/sun/security/krb5/auto/Helper.java

@@ -0,0 +1,57 @@
+/*
+ * Copyright (c) 2015, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+import javax.security.auth.callback.Callback;
+import javax.security.auth.callback.CallbackHandler;
+import javax.security.auth.callback.NameCallback;
+import javax.security.auth.callback.PasswordCallback;
+import javax.security.auth.callback.UnsupportedCallbackException;
+
+public class Helper {
+
+    static class UserPasswordHandler implements CallbackHandler {
+
+        private final String name;
+        private final String password;
+
+        UserPasswordHandler(String name, String password) {
+            this.name = name;
+            this.password = password;
+        }
+
+        @Override
+        public void handle(Callback[] callbacks)
+                throws UnsupportedCallbackException {
+            for (Callback callback : callbacks) {
+                if (callback instanceof PasswordCallback) {
+                    ((PasswordCallback) callback).setPassword(
+                            password.toCharArray());
+                } else if (callback instanceof NameCallback) {
+                    ((NameCallback)callback).setName(name);
+                } else {
+                    throw new UnsupportedCallbackException(callback);
+                }
+            }
+        }
+    }
+}

jdk/test/sun/security/krb5/auto/KDC.java

@@ -1320,14 +1320,17 @@ public class KDC {
         }
     }
 
-    public static void startKDC(final String host, final String krbConfFileName,
+    public static KDC startKDC(final String host, final String krbConfFileName,
             final String realm, final Map<String, String> principals,
             final String ktab, final KtabMode mode) {
 
+        KDC kdc;
         try {
-            KDC kdc = KDC.create(realm, host, 0, true);
+            kdc = KDC.create(realm, host, 0, true);
             kdc.setOption(KDC.Option.PREAUTH_REQUIRED, Boolean.FALSE);
+            if (krbConfFileName != null) {
                 KDC.saveConfig(krbConfFileName, kdc);
+            }
 
             // Add principals
             if (principals != null) {
@@ -1379,6 +1382,7 @@ public class KDC {
             throw new RuntimeException("KDC: unexpected exception", e);
         }
 
+        return kdc;
     }
 
     /**
@@ -1428,13 +1432,20 @@ public class KDC {
     }
 
     public static class KDCNameService implements NameServiceDescriptor {
+
+        public static String NOT_EXISTING_HOST = "not.existing.host";
+
         @Override
         public NameService createNameService() throws Exception {
             NameService ns = new NameService() {
                 @Override
                 public InetAddress[] lookupAllHostAddr(String host)
                         throws UnknownHostException {
-                    // Everything is localhost
+                    // Everything is localhost except NOT_EXISTING_HOST
+                    if (NOT_EXISTING_HOST.equals(host)) {
+                        throw new UnknownHostException("Unknown host name: "
+                                + NOT_EXISTING_HOST);
+                    }
                     return new InetAddress[]{
                         InetAddress.getByAddress(host, new byte[]{127,0,0,1})
                     };

jdk/test/sun/security/krb5/auto/RefreshKrb5Config.java

@@ -0,0 +1,100 @@
+/*
+ * Copyright (c) 2015, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+import java.io.File;
+import java.io.IOException;
+import java.util.HashMap;
+import java.util.Map;
+import javax.security.auth.callback.CallbackHandler;
+import javax.security.auth.login.LoginContext;
+import javax.security.auth.login.LoginException;
+
+/*
+ * @test
+ * @bug 4745056 8075297
+ * @summary Checks if refreshKrb5Config is set to true for Krb5LoginModule,
+ *          then configuration will be refreshed before login() method is called
+ * @run main/othervm RefreshKrb5Config
+ */
+public class RefreshKrb5Config {
+
+    static final String TEST_SRC = System.getProperty("test.src", ".");
+    static final String HOST = "localhost";
+    static final String NOT_EXISTING_HOST = "not.existing.host";
+    static final String REALM = "TEST.REALM";
+    static final String USER = "USER";
+    static final String USER_PRINCIPAL = USER + "@" + REALM;
+    static final String USER_PASSWORD = "password";
+    static final String KRBTGT_PRINCIPAL = "krbtgt/" + REALM;
+    static final String KRB5_CONF_FILENAME = "krb5.conf";
+
+    public static void main(String[] args) throws LoginException, IOException {
+        Map<String, String> principals = new HashMap<>();
+        principals.put(USER_PRINCIPAL, USER_PASSWORD);
+        principals.put(KRBTGT_PRINCIPAL, null);
+
+        System.setProperty("java.security.krb5.conf", KRB5_CONF_FILENAME);
+
+        // start a local KDC, and save krb5 config
+        KDC kdc = KDC.startKDC(HOST, null, REALM, principals, null, null);
+        KDC.saveConfig(KRB5_CONF_FILENAME, kdc, "max_retries = 1");
+
+        System.setProperty("java.security.auth.login.config",
+                TEST_SRC + File.separator + "refreshKrb5Config.jaas");
+
+        CallbackHandler handler = new Helper.UserPasswordHandler(
+                USER, USER_PASSWORD);
+
+        // set incorrect KDC
+        System.out.println("java.security.krb5.kdc = " + NOT_EXISTING_HOST);
+        System.setProperty("java.security.krb5.kdc", NOT_EXISTING_HOST);
+        System.out.println("java.security.krb5.realm = " + REALM);
+        System.setProperty("java.security.krb5.realm", REALM);
+        try {
+            new LoginContext("Refreshable", handler).login();
+            throw new RuntimeException("Expected exception not thrown");
+        } catch (LoginException le) {
+            System.out.println("Expected login failure: " + le);
+        }
+
+        // reset properties
+        System.out.println("Reset java.security.krb5.kdc");
+        System.clearProperty("java.security.krb5.kdc");
+        System.out.println("Reset java.security.krb5.realm");
+        System.clearProperty("java.security.krb5.realm");
+
+        // login with not-refreshable config
+        try {
+            new LoginContext("NotRefreshable", handler).login();
+            throw new RuntimeException("Expected exception not thrown");
+        } catch (LoginException le) {
+            System.out.println("Expected login failure: " + le);
+        }
+
+        // login with refreshable config
+        new LoginContext("Refreshable", handler).login();
+
+        System.out.println("Test passed");
+    }
+
+}

jdk/test/sun/security/krb5/auto/refreshKrb5Config.jaas

@@ -0,0 +1,11 @@
+Refreshable {
+    com.sun.security.auth.module.Krb5LoginModule required
+        useTicketCache=false
+        refreshKrb5Config=true;
+};
+
+NotRefreshable {
+    com.sun.security.auth.module.Krb5LoginModule required
+        useTicketCache=false
+        refreshKrb5Config=false;
+};