SAK-10025 Support two-step authentication in Kerberos provider

git-svn-id: https://source.sakaiproject.org/svn/providers/trunk@68832 66ffb92e-73f9-0310-93c1-f5514f145a0a

providers/kerberos/pom.xml

@@ -1,5 +1,7 @@
 <?xml version="1.0"?>
-<project xmlns="http://maven.apache.org/POM/4.0.0">
+<project xmlns="http://maven.apache.org/POM/4.0.0"
+        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+        xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
   <modelVersion>4.0.0</modelVersion>
   <parent>
     <artifactId>providers-base</artifactId>
@@ -16,9 +18,24 @@
   </organization>
   <inceptionYear>2005</inceptionYear>
   <packaging>jar</packaging>
-  <properties>
-    <deploy.target/>
-  </properties>
+  <profiles>
+    <!-- Default to not running tests but allow tests to be enabled with -Ptest -->
+    <profile>
+      <id>notest</id>
+      <activation>
+        <activeByDefault>true</activeByDefault>
+      </activation>
+      <properties>
+        <skipTests>true</skipTests>
+      </properties>
+    </profile>
+    <profile>
+      <id>test</id>
+      <properties>
+        <skipTests>false</skipTests>
+      </properties>
+    </profile>
+  </profiles>
   <dependencies>
     <dependency>
       <groupId>org.sakaiproject.kernel</groupId>
@@ -32,22 +49,16 @@
       <groupId>org.sakaiproject.kernel</groupId>
       <artifactId>sakai-component-manager</artifactId>
     </dependency>
-<!--
-      This has been relocated to sakai-kernel-util
-      org.sakaiproject.kernel.utilsakai-util-->
     <dependency>
       <groupId>commons-logging</groupId>
       <artifactId>commons-logging</artifactId>
-      <version>1.0.4</version>
     </dependency>
-<!--org.sakaiprojectsakai-authz-api${sakai.version}-->
-<!--org.sakaiprojectsakai-entity-api${sakai.version}-->
-<!--org.sakaiprojectsakai-user-api${sakai.version}-->
-<!--org.sakaiprojectsakai-util-api${sakai.version}-->
-<!--org.sakaiprojectsakai-component-api${sakai.version}-->
-<!--org.sakaiprojectsakai-util${sakai.version}-->
   </dependencies>
   <build>
-    <resources/>
+    <testResources>
+      <testResource>
+        <directory>src/test-bundle</directory>
+      </testResource>
+    </testResources>
   </build>
 </project>

providers/kerberos/src/java/org/sakaiproject/component/kerberos/user/JassAuthenticate.java

@@ -0,0 +1,172 @@
+/**********************************************************************************
+ * $URL$
+ * $Id$
+ ***********************************************************************************
+ *
+ * Copyright (c) 2003, 2004, 2005, 2006, 2007, 2008, 2009 The Sakai Foundation
+ *
+ * Licensed under the Educational Community License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *       http://www.osedu.org/licenses/ECL-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ ***************************************************************/
+package org.sakaiproject.component.kerberos.user;
+
+import java.security.PrivilegedAction;
+
+import javax.security.auth.Subject;
+import javax.security.auth.login.LoginContext;
+import javax.security.auth.login.LoginException;
+
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+import org.ietf.jgss.GSSContext;
+import org.ietf.jgss.GSSCredential;
+import org.ietf.jgss.GSSException;
+import org.ietf.jgss.GSSManager;
+import org.ietf.jgss.GSSName;
+import org.ietf.jgss.Oid;
+
+/**
+ * Attempts to authenticate a user and reports success or an error message
+ *
+ * @author Matthew Buckett
+ *
+ */
+public class JassAuthenticate {
+
+	private final static Log log = LogFactory.getLog(JassAuthenticate.class);
+
+	private GSSContext clientContext;
+	private GSSContext serverContext;
+
+	private byte[] acceptTokens = new byte[0];
+	private byte[] initTokens = new byte[0];
+
+	private String serverGSS;
+	private int exchangeLimit = 50;
+
+	private String servicePrincipal;
+	private String userPrincipal;
+
+	private boolean verifyServiceTicket = false;
+
+	/**
+	 * Get ready for JAAS authentication, but don't verify a service ticket.
+	 */
+	public JassAuthenticate(String userPrincipal) {
+		this.userPrincipal = userPrincipal;
+		verifyServiceTicket = false;
+	}
+
+	/**
+	 * Get ready for JAAS authentication but attempt todo service ticket verification.
+	 */
+	public JassAuthenticate(String serverGSS, String servicePrincipal, String userPrincipal) {
+		this.serverGSS = serverGSS;
+		this.servicePrincipal = servicePrincipal;
+		this.userPrincipal = userPrincipal;
+		verifyServiceTicket = true;
+	}
+
+	private class InitiatorAction implements PrivilegedAction<Void> {
+		public Void run() {
+			try {
+				initTokens = clientContext.initSecContext(acceptTokens, 0, acceptTokens.length);
+			} catch (GSSException e) {
+				throw new RuntimeException("Failed to initiate.", e);
+			}
+			return null;
+		}
+	}
+
+	private class AcceptorAction implements PrivilegedAction<Void> {
+		public Void run() {
+			try {
+				acceptTokens = serverContext.acceptSecContext(initTokens, 0, initTokens.length);
+			} catch (GSSException e) {
+				throw new RuntimeException("Failed to accept.", e);
+			}
+			return null;
+		}
+	}
+
+	public boolean attemptAuthentication(String username, String password) {
+		LoginContext userLoginContext = null;
+		LoginContext serverLoginContext = null;
+
+		try {
+			// This may well fail so run catch exceptions here.
+			try {
+				userLoginContext = new LoginContext(userPrincipal, new UsernamePasswordCallback(username, password));
+				userLoginContext.login();
+			} catch (LoginException le) {
+				if (log.isDebugEnabled()) {
+					log.debug("Failed to authenticate "+ username, le);
+				}
+				return false;
+			}
+			if(!verifyServiceTicket) {
+				log.debug("Authenticated ok and not attempting service ticket verification");
+				return true;
+			}
+			// Shouldn't ever fail
+			serverLoginContext = new LoginContext(servicePrincipal, new NullCallbackHandler());
+			serverLoginContext.login();
+
+			GSSManager manager = GSSManager.getInstance();
+			Oid kerberos = new Oid("1.2.840.113554.1.2.2");
+
+			GSSName serverName = manager.createName(
+					serverGSS, GSSName.NT_HOSTBASED_SERVICE);
+
+			clientContext = manager.createContext(
+					serverName, kerberos, null,
+					GSSContext.DEFAULT_LIFETIME);
+
+			serverContext = manager.createContext((GSSCredential)null);
+
+			int exchanges = 0;
+			while (!clientContext.isEstablished() && !serverContext.isEstablished() && !(initTokens == null && acceptTokens == null)) {
+				Subject.doAs(userLoginContext.getSubject(), new InitiatorAction());
+				Subject.doAs(serverLoginContext.getSubject(), new AcceptorAction());
+				if (++exchanges > exchangeLimit) {
+					throw new RuntimeException("Too many tickets exchanged ("+ exchangeLimit+ ").");
+				}
+			}
+			log.debug("Authenticated ok and verified service ticket");
+			return true;
+		} catch (GSSException gsse) {
+			log.warn("Failed to verify ticket.", gsse);
+		} catch (LoginException le) {
+			log.warn("Failed to login with keytab.", le);
+		} finally {
+			try {
+			if (clientContext != null) 
+				clientContext.dispose();
+			if (serverContext != null)
+				serverContext.dispose();
+
+			if (userLoginContext != null)
+				userLoginContext.logout();
+			if (serverLoginContext!= null)
+				serverLoginContext.logout();
+			} catch (Exception e) {
+				log.error("Failed to tidy up after attempting authentication.", e);
+			}
+		}
+		return false;
+	}
+
+	public boolean isVerifyServiceTicket() {
+		return verifyServiceTicket;
+	}
+}