This is an automated email from the ASF dual-hosted git repository.
tabish pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/qpid-jms.git
The following commit(s) were added to refs/heads/main by this push:
new 86cf45c QPIDJMS-428 Fix Kerberos tests failing on JDK's above 8
86cf45c is described below
commit 86cf45ce83aa072622c90afe45ad9ab351df4582
Author: Timothy Bish <[email protected]>
AuthorDate: Tue May 11 17:12:31 2021 -0400
QPIDJMS-428 Fix Kerberos tests failing on JDK's above 8
Update to MiniKDC 3.3.0 and fix issue that caused our test configuration
not to work due to the newer MiniKDC versions generating their own conf
files that don't allow any means of specifying a default keytab location.
---
pom.xml | 24 +----
.../jms/integration/SaslGssApiIntegrationTest.java | 103 +++++++++++++++------
...inikdc-krb5.conf => minikdc-krb5-template.conf} | 12 ++-
3 files changed, 84 insertions(+), 55 deletions(-)
diff --git a/pom.xml b/pom.xml
index aa9bd8a..9657003 100644
--- a/pom.xml
+++ b/pom.xml
@@ -53,7 +53,7 @@
<jetty-version>9.4.22.v20191022</jetty-version>
<mockito-version>3.8.0</mockito-version>
<hamcrest-version>2.2</hamcrest-version>
- <hadoop-minikdc-version>2.9.0</hadoop-minikdc-version>
+ <hadoop-minikdc-version>3.3.0</hadoop-minikdc-version>
<!-- Maven Plugin Versions for this Project -->
<maven-javacc-plugin-version>2.6</maven-javacc-plugin-version>
@@ -395,27 +395,5 @@
<maven.compiler.release>8</maven.compiler.release>
</properties>
</profile>
-
- <profile>
- <id>java11on</id>
- <activation>
- <jdk>[11,)</jdk>
- </activation>
- <build>
- <pluginManagement>
- <plugins>
- <plugin>
- <groupId>org.apache.maven.plugins</groupId>
- <artifactId>maven-surefire-plugin</artifactId>
- <configuration>
- <excludes>
- <exclude>**/SaslGssApiIntegrationTest.java</exclude>
- </excludes>
- </configuration>
- </plugin>
- </plugins>
- </pluginManagement>
- </build>
- </profile>
</profiles>
</project>
diff --git
a/qpid-jms-client/src/test/java/org/apache/qpid/jms/integration/SaslGssApiIntegrationTest.java
b/qpid-jms-client/src/test/java/org/apache/qpid/jms/integration/SaslGssApiIntegrationTest.java
index 0e63b40..f9ae4a6 100644
---
a/qpid-jms-client/src/test/java/org/apache/qpid/jms/integration/SaslGssApiIntegrationTest.java
+++
b/qpid-jms-client/src/test/java/org/apache/qpid/jms/integration/SaslGssApiIntegrationTest.java
@@ -20,9 +20,34 @@
*/
package org.apache.qpid.jms.integration;
-import org.apache.directory.server.kerberos.shared.keytab.Keytab;
-import org.apache.directory.server.kerberos.shared.keytab.KeytabEntry;
+import static junit.framework.TestCase.assertTrue;
+import static org.junit.Assert.assertNull;
+import static org.junit.Assert.fail;
+
+import java.io.BufferedReader;
+import java.io.File;
+import java.io.FileReader;
+import java.io.OutputStream;
+import java.net.InetAddress;
+import java.net.InetSocketAddress;
+import java.nio.ByteBuffer;
+import java.nio.channels.Channels;
+import java.nio.channels.WritableByteChannel;
+import java.nio.charset.StandardCharsets;
+import java.nio.file.FileSystems;
+import java.nio.file.Files;
+import java.nio.file.Path;
+import java.nio.file.Paths;
+import java.util.Properties;
+
+import javax.jms.Connection;
+import javax.jms.ConnectionFactory;
+import javax.jms.JMSSecurityException;
+
import org.apache.hadoop.minikdc.MiniKdc;
+import org.apache.kerby.kerberos.kerb.keytab.Keytab;
+import org.apache.kerby.kerberos.kerb.keytab.KeytabEntry;
+import org.apache.kerby.kerberos.kerb.type.base.PrincipalName;
import org.apache.qpid.jms.JmsConnectionFactory;
import org.apache.qpid.jms.test.QpidJmsTestCase;
import org.apache.qpid.jms.test.testpeer.TestAmqpPeer;
@@ -35,20 +60,6 @@ import org.junit.Test;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
-import javax.jms.Connection;
-import javax.jms.ConnectionFactory;
-import javax.jms.JMSSecurityException;
-import java.io.File;
-import java.net.InetAddress;
-import java.net.InetSocketAddress;
-import java.nio.file.FileSystems;
-import java.nio.file.Files;
-import java.nio.file.Path;
-
-import static junit.framework.TestCase.assertTrue;
-import static org.junit.Assert.assertNull;
-import static org.junit.Assert.fail;
-
public class SaslGssApiIntegrationTest extends QpidJmsTestCase {
private static final Logger LOG =
LoggerFactory.getLogger(SaslGssApiIntegrationTest.class);
@@ -57,6 +68,8 @@ public class SaslGssApiIntegrationTest extends
QpidJmsTestCase {
private static final String GSSAPI = "GSSAPI";
private static final Symbol ANONYMOUS = Symbol.valueOf("ANONYMOUS");
private static final Symbol PLAIN = Symbol.valueOf("PLAIN");
+ private static final String KRB5_TCP_PORT_TEMPLATE = "MINI_KDC_PORT";
+ private static final String KRB5_CONFIG_TEMPLATE =
"minikdc-krb5-template.conf";
private static final String KRB5_KEYTAB =
"target/SaslGssApiIntegrationTest.krb5.keytab";
private static final String CLIENT_PRINCIPAL_LOGIN_CONFIG =
"clientprincipal";
private static final String CLIENT_PRINCIPAL_FACTORY_USERNAME =
"factoryusername";
@@ -76,18 +89,32 @@ public class SaslGssApiIntegrationTest extends
QpidJmsTestCase {
Path tempDirectory = Files.createTempDirectory(targetDir,
"junit.SaslGssApiIntegrationTest.");
File root = tempDirectory.toFile();
- kdc = new MiniKdc(MiniKdc.createConf(), new File(root, "kdc"));
+ Properties kdcConf = MiniKdc.createConf();
+ kdcConf.setProperty("debug", Boolean.toString(DEBUG));
+
+ kdc = new MiniKdc(kdcConf, new File(root, "kdc"));
kdc.start();
- // hard coded match, default_keytab_name in minikdc-krb5.conf template
File userKeyTab = new File(KRB5_KEYTAB);
kdc.createPrincipal(userKeyTab, CLIENT_PRINCIPAL_LOGIN_CONFIG,
CLIENT_PRINCIPAL_FACTORY_USERNAME,
CLIENT_PRINCIPAL_URI_USERNAME,
CLIENT_PRINCIPAL_DEFAULT_CONFIG_SCOPE, servicePrincipal);
+ // We need to hard code the default keyTab into the Krb5 configuration
file which is not possible
+ // with this version of MiniKDC so we use a template file and replace
the port with the value from
+ // the MiniKDC instance we just started.
+ rewriteKrbConfFile(kdc);
+
if (DEBUG) {
- Keytab kt = Keytab.read(userKeyTab);
- for (KeytabEntry entry : kt.getEntries()) {
- LOG.info("KeyTab Entry: PrincipalName:" +
entry.getPrincipalName() + " ; KeyInfo:"+ entry.getKey().getKeyType());
+ LOG.debug("java.security.krb5.conf='{}'",
System.getProperty("java.security.krb5.conf"));
+ try (BufferedReader br = new BufferedReader(new
FileReader(System.getProperty("java.security.krb5.conf")))) {
+ br.lines().forEach(line -> LOG.debug(line));
+ }
+
+ Keytab kt = Keytab.loadKeytab(userKeyTab);
+ for (PrincipalName name : kt.getPrincipals()) {
+ for (KeytabEntry entry : kt.getKeytabEntries(name)) {
+ LOG.info("KeyTab Entry: PrincipalName:" +
entry.getPrincipal() + " ; KeyInfo:"+ entry.getKey().getKeyType());
+ }
}
java.util.logging.Logger logger =
java.util.logging.Logger.getLogger("javax.security.sasl");
@@ -96,6 +123,13 @@ public class SaslGssApiIntegrationTest extends
QpidJmsTestCase {
for (java.util.logging.Handler handler : logger.getHandlers()) {
handler.setLevel(java.util.logging.Level.FINEST);
}
+
+ logger = java.util.logging.Logger.getLogger("logincontext");
+ logger.setLevel(java.util.logging.Level.FINEST);
+ logger.addHandler(new java.util.logging.ConsoleHandler());
+ for (java.util.logging.Handler handler : logger.getHandlers()) {
+ handler.setLevel(java.util.logging.Level.FINEST);
+ }
}
}
@@ -114,7 +148,7 @@ public class SaslGssApiIntegrationTest extends
QpidJmsTestCase {
@AfterClass
public static void cleanUpKerberos() {
if (kdc != null) {
- kdc.stop();
+ kdc.stop();
}
}
@@ -142,7 +176,6 @@ public class SaslGssApiIntegrationTest extends
QpidJmsTestCase {
private void doSaslGssApiKrbConnectionTestImpl(String configScope, String
clientAuthIdAtServer) throws Exception {
try (TestAmqpPeer testPeer = new TestAmqpPeer();) {
-
testPeer.expectSaslGSSAPI(servicePrincipal, KRB5_KEYTAB,
clientAuthIdAtServer);
testPeer.expectOpen();
@@ -150,7 +183,7 @@ public class SaslGssApiIntegrationTest extends
QpidJmsTestCase {
testPeer.expectBegin();
String uriOptions = "?amqp.saslMechanisms=" + GSSAPI;
- if(configScope != null) {
+ if (configScope != null) {
uriOptions += "&sasl.options.configScope=" + configScope;
}
@@ -170,7 +203,6 @@ public class SaslGssApiIntegrationTest extends
QpidJmsTestCase {
@Test(timeout = 20000)
public void testSaslGssApiKrbConnectionWithPrincipalViaJmsUsernameUri()
throws Exception {
try (TestAmqpPeer testPeer = new TestAmqpPeer();) {
-
testPeer.expectSaslGSSAPI(servicePrincipal, KRB5_KEYTAB,
CLIENT_PRINCIPAL_URI_USERNAME + "@EXAMPLE.COM");
testPeer.expectOpen();
@@ -179,7 +211,8 @@ public class SaslGssApiIntegrationTest extends
QpidJmsTestCase {
// No password, not needed as using keyTab.
String uriOptions =
"?sasl.options.configScope=KRB5-CLIENT-URI-USERNAME-CALLBACK&jms.username="
- + CLIENT_PRINCIPAL_URI_USERNAME
+"&amqp.saslMechanisms=" + GSSAPI;
+ + CLIENT_PRINCIPAL_URI_USERNAME +
+ "&amqp.saslMechanisms=" + GSSAPI;
ConnectionFactory factory = new
JmsConnectionFactory("amqp://localhost:" + testPeer.getServerPort() +
uriOptions);
Connection connection = factory.createConnection();
@@ -198,7 +231,6 @@ public class SaslGssApiIntegrationTest extends
QpidJmsTestCase {
@Test(timeout = 20000)
public void
testSaslGssApiKrbConnectionWithPrincipalViaJmsUsernameConnFactory() throws
Exception {
try (TestAmqpPeer testPeer = new TestAmqpPeer();) {
-
testPeer.expectSaslGSSAPI(servicePrincipal, KRB5_KEYTAB,
CLIENT_PRINCIPAL_FACTORY_USERNAME + "@EXAMPLE.COM");
testPeer.expectOpen();
@@ -251,7 +283,7 @@ public class SaslGssApiIntegrationTest extends
QpidJmsTestCase {
testPeer.expectSaslFailingAuthentication(serverMechs,
clientSelectedMech);
String uriOptions = "?jms.clientID=myclientid";
- if(enableGssapiExplicitly) {
+ if (enableGssapiExplicitly) {
uriOptions += "&amqp.saslMechanisms=PLAIN," + GSSAPI;
}
ConnectionFactory factory = new
JmsConnectionFactory("amqp://localhost:" + testPeer.getServerPort() +
uriOptions);
@@ -270,4 +302,19 @@ public class SaslGssApiIntegrationTest extends
QpidJmsTestCase {
testPeer.waitForAllHandlersToComplete(1000);
}
}
+
+ private static void rewriteKrbConfFile(MiniKdc server) throws Exception {
+ final Path template =
Paths.get(SaslGssApiIntegrationTest.class.getClassLoader().getResource(KRB5_CONFIG_TEMPLATE).toURI());
+ final String krb5confTemplate = new
String(Files.readAllBytes(template), StandardCharsets.UTF_8);
+ final String replacementPort = Integer.toString(server.getPort());
+
+ // Replace the port template with the current actual port of the
MiniKDC Server instance.
+ final String krb5confUpdated =
krb5confTemplate.replaceAll(KRB5_TCP_PORT_TEMPLATE, replacementPort);
+
+ try (OutputStream outputStream =
Files.newOutputStream(kdc.getKrb5conf().toPath());
+ WritableByteChannel channel = Channels.newChannel(outputStream)) {
+
+
channel.write(ByteBuffer.wrap(krb5confUpdated.getBytes(StandardCharsets.UTF_8)));
+ }
+ }
}
diff --git a/qpid-jms-client/src/test/resources/minikdc-krb5.conf
b/qpid-jms-client/src/test/resources/minikdc-krb5-template.conf
similarity index 85%
rename from qpid-jms-client/src/test/resources/minikdc-krb5.conf
rename to qpid-jms-client/src/test/resources/minikdc-krb5-template.conf
index 9645dec..92ebae3 100644
--- a/qpid-jms-client/src/test/resources/minikdc-krb5.conf
+++ b/qpid-jms-client/src/test/resources/minikdc-krb5-template.conf
@@ -15,12 +15,16 @@
# See the License for the specific language governing permissions and
# limitations under the License.
#
+
[libdefaults]
- default_realm = {0}
+ kdc_realm = EXAMPLE.COM
+ default_realm = EXAMPLE.COM
udp_preference_limit = 1
+ kdc_tcp_port = MINI_KDC_PORT
default_keytab_name = FILE:target/SaslGssApiIntegrationTest.krb5.keytab
[realms]
- {0} = '{'
- kdc = {1}:{2}
- '}'
\ No newline at end of file
+ EXAMPLE.COM = {
+ kdc = localhost:MINI_KDC_PORT
+ }
+
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
