View Javadoc
1   /*
2    *  Licensed to the Apache Software Foundation (ASF) under one
3    *  or more contributor license agreements.  See the NOTICE file
4    *  distributed with this work for additional information
5    *  regarding copyright ownership.  The ASF licenses this file
6    *  to you under the Apache License, Version 2.0 (the
7    *  "License"); you may not use this file except in compliance
8    *  with the License.  You may obtain a copy of the License at
9    *  
10   *    http://www.apache.org/licenses/LICENSE-2.0
11   *  
12   *  Unless required by applicable law or agreed to in writing,
13   *  software distributed under the License is distributed on an
14   *  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
15   *  KIND, either express or implied.  See the License for the
16   *  specific language governing permissions and limitations
17   *  under the License. 
18   *  
19   */
20  package org.apache.directory.server.kerberos;
21  
22  
23  import java.util.HashSet;
24  import java.util.Set;
25  
26  import javax.security.auth.kerberos.KerberosPrincipal;
27  
28  import org.apache.directory.server.constants.ServerDNConstants;
29  import org.apache.directory.shared.kerberos.KerberosUtils;
30  import org.apache.directory.shared.kerberos.codec.types.EncryptionType;
31  import org.apache.directory.shared.kerberos.codec.types.PrincipalNameType;
32  
33  
34  /**
35   * @author <a href="mailto:dev@directory.apache.org">Apache Directory Project</a>
36   */
37  public class KerberosConfig
38  {
39  
40      /** The default kdc service principal */
41      public static final String DEFAULT_PRINCIPAL = "krbtgt/EXAMPLE.COM@EXAMPLE.COM";
42  
43      /** The default kdc realm */
44      public static final String DEFAULT_REALM = "EXAMPLE.COM";
45  
46      /** The default allowable clockskew */
47      public static final long DEFAULT_ALLOWABLE_CLOCKSKEW = 5L * 60000L;
48  
49      /** The default for allowing empty addresses */
50      public static final boolean DEFAULT_EMPTY_ADDRESSES_ALLOWED = true;
51  
52      /** The default for requiring encrypted timestamps */
53      public static final boolean DEFAULT_PA_ENC_TIMESTAMP_REQUIRED = true;
54  
55      /** The default for the maximum ticket lifetime */
56      public static final int DEFAULT_TGS_MAXIMUM_TICKET_LIFETIME = 60000 * 1440;
57  
58      /** The default for the minimum ticket lifetime, 4 minutes */
59      public static final int DEFAULT_TGS_MINIMUM_TICKET_LIFETIME = 60000 * 4;
60  
61      /** The default for the maximum renewable lifetime */
62      public static final int DEFAULT_TGS_MAXIMUM_RENEWABLE_LIFETIME = 60000 * 10080;
63  
64      /** The default for allowing forwardable tickets */
65      public static final boolean DEFAULT_TGS_FORWARDABLE_ALLOWED = true;
66  
67      /** The default for allowing proxiable tickets */
68      public static final boolean DEFAULT_TGS_PROXIABLE_ALLOWED = true;
69  
70      /** The default for allowing postdated tickets */
71      public static final boolean DEFAULT_TGS_POSTDATED_ALLOWED = true;
72  
73      /** The default for allowing renewable tickets */
74      public static final boolean DEFAULT_TGS_RENEWABLE_ALLOWED = true;
75  
76      /** The default for verifying the body checksum */
77      public static final boolean DEFAULT_VERIFY_BODY_CHECKSUM = true;
78  
79      /** The default encryption types */
80      public static final String[] DEFAULT_ENCRYPTION_TYPES = new String[]
81          { "aes128-cts-hmac-sha1-96", "des-cbc-md5", "des3-cbc-sha1-kd" };
82  
83      /** The primary realm */
84      private String primaryRealm = KerberosConfig.DEFAULT_REALM;
85  
86      /** The service principal name. */
87      private String servicePrincipal = KerberosConfig.DEFAULT_PRINCIPAL;
88  
89      /** The allowable clock skew. */
90      private long allowableClockSkew = KerberosConfig.DEFAULT_ALLOWABLE_CLOCKSKEW;
91  
92      /** Whether pre-authentication by encrypted timestamp is required. */
93      private boolean isPaEncTimestampRequired = KerberosConfig.DEFAULT_PA_ENC_TIMESTAMP_REQUIRED;
94  
95      /** The maximum ticket lifetime. */
96      private long maximumTicketLifetime = KerberosConfig.DEFAULT_TGS_MAXIMUM_TICKET_LIFETIME;
97  
98      /** The minimum ticket lifetime. */
99      private long minimumTicketLifetime = KerberosConfig.DEFAULT_TGS_MINIMUM_TICKET_LIFETIME;
100 
101     /** The maximum renewable lifetime. */
102     private long maximumRenewableLifetime = KerberosConfig.DEFAULT_TGS_MAXIMUM_RENEWABLE_LIFETIME;
103 
104     /** Whether empty addresses are allowed. */
105     private boolean isEmptyAddressesAllowed = KerberosConfig.DEFAULT_EMPTY_ADDRESSES_ALLOWED;
106 
107     /** Whether forwardable addresses are allowed. */
108     private boolean isForwardableAllowed = KerberosConfig.DEFAULT_TGS_FORWARDABLE_ALLOWED;
109 
110     /** Whether proxiable addresses are allowed. */
111     private boolean isProxiableAllowed = KerberosConfig.DEFAULT_TGS_PROXIABLE_ALLOWED;
112 
113     /** Whether postdated tickets are allowed. */
114     private boolean isPostdatedAllowed = KerberosConfig.DEFAULT_TGS_POSTDATED_ALLOWED;
115 
116     /** Whether renewable tickets are allowed. */
117     private boolean isRenewableAllowed = KerberosConfig.DEFAULT_TGS_RENEWABLE_ALLOWED;
118 
119     /** Whether to verify the body checksum. */
120     private boolean isBodyChecksumVerified = KerberosConfig.DEFAULT_VERIFY_BODY_CHECKSUM;
121 
122     /** The encryption types. */
123     private Set<EncryptionType> encryptionTypes;
124 
125     /* cached kerberos/changepassword service principal */
126     private KerberosPrincipal srvPrincipal;
127 
128     private String searchBaseDn;
129 
130 
131     public KerberosConfig()
132     {
133         setSearchBaseDn( ServerDNConstants.USER_EXAMPLE_COM_DN );
134         prepareEncryptionTypes();
135     }
136 
137 
138     /**
139      * Returns the allowable clock skew.
140      *
141      * @return The allowable clock skew.
142      */
143     public long getAllowableClockSkew()
144     {
145         return allowableClockSkew;
146     }
147 
148 
149     /**
150      * @return the isEmptyAddressesAllowed
151      */
152     public boolean isEmptyAddressesAllowed()
153     {
154         return isEmptyAddressesAllowed;
155     }
156 
157 
158     /**
159      * @return the isForwardableAllowed
160      */
161     public boolean isForwardableAllowed()
162     {
163         return isForwardableAllowed;
164     }
165 
166 
167     /**
168      * @return the isPostdatedAllowed
169      */
170     public boolean isPostdatedAllowed()
171     {
172         return isPostdatedAllowed;
173     }
174 
175 
176     /**
177      * @return the isProxiableAllowed
178      */
179     public boolean isProxiableAllowed()
180     {
181         return isProxiableAllowed;
182     }
183 
184 
185     /**
186      * @return the isRenewableAllowed
187      */
188     public boolean isRenewableAllowed()
189     {
190         return isRenewableAllowed;
191     }
192 
193 
194     /**
195      * @return the maximumRenewableLifetime
196      */
197     public long getMaximumRenewableLifetime()
198     {
199         return maximumRenewableLifetime;
200     }
201 
202 
203     /**
204      * @return the maximumTicketLifetime
205      */
206     public long getMaximumTicketLifetime()
207     {
208         return maximumTicketLifetime;
209     }
210 
211 
212     /**
213      * @param allowableClockSkew the allowableClockSkew to set
214      */
215     public void setAllowableClockSkew( long allowableClockSkew )
216     {
217         this.allowableClockSkew = allowableClockSkew;
218     }
219 
220 
221     /**
222      * Initialize the encryptionTypes set
223      * 
224      * @param encryptionTypes the encryptionTypes to set
225      */
226     public void setEncryptionTypes( EncryptionType[] encryptionTypes )
227     {
228         if ( encryptionTypes != null )
229         {
230             this.encryptionTypes.clear();
231 
232             for ( EncryptionType encryptionType : encryptionTypes )
233             {
234                 this.encryptionTypes.add( encryptionType );
235             }
236         }
237 
238         this.encryptionTypes = KerberosUtils.orderEtypesByStrength( this.encryptionTypes );
239     }
240 
241 
242     /**
243      * Initialize the encryptionTypes set
244      * 
245      * @param encryptionTypes the encryptionTypes to set
246      */
247     public void setEncryptionTypes( Set<EncryptionType> encryptionTypes )
248     {
249         this.encryptionTypes = KerberosUtils.orderEtypesByStrength( encryptionTypes );
250     }
251 
252 
253     /**
254      * @param isEmptyAddressesAllowed the isEmptyAddressesAllowed to set
255      */
256     public void setEmptyAddressesAllowed( boolean isEmptyAddressesAllowed )
257     {
258         this.isEmptyAddressesAllowed = isEmptyAddressesAllowed;
259     }
260 
261 
262     /**
263      * @param isForwardableAllowed the isForwardableAllowed to set
264      */
265     public void setForwardableAllowed( boolean isForwardableAllowed )
266     {
267         this.isForwardableAllowed = isForwardableAllowed;
268     }
269 
270 
271     /**
272      * @param isPaEncTimestampRequired the isPaEncTimestampRequired to set
273      */
274     public void setPaEncTimestampRequired( boolean isPaEncTimestampRequired )
275     {
276         this.isPaEncTimestampRequired = isPaEncTimestampRequired;
277     }
278 
279 
280     /**
281      * @param isPostdatedAllowed the isPostdatedAllowed to set
282      */
283     public void setPostdatedAllowed( boolean isPostdatedAllowed )
284     {
285         this.isPostdatedAllowed = isPostdatedAllowed;
286     }
287 
288 
289     /**
290      * @param isProxiableAllowed the isProxiableAllowed to set
291      */
292     public void setProxiableAllowed( boolean isProxiableAllowed )
293     {
294         this.isProxiableAllowed = isProxiableAllowed;
295     }
296 
297 
298     /**
299      * @param isRenewableAllowed the isRenewableAllowed to set
300      */
301     public void setRenewableAllowed( boolean isRenewableAllowed )
302     {
303         this.isRenewableAllowed = isRenewableAllowed;
304     }
305 
306 
307     /**
308      * @param kdcPrincipal the kdcPrincipal to set
309      */
310     public void setServicePrincipal( String kdcPrincipal )
311     {
312         this.servicePrincipal = kdcPrincipal;
313     }
314 
315 
316     /**
317      * @param maximumRenewableLifetime the maximumRenewableLifetime to set
318      */
319     public void setMaximumRenewableLifetime( long maximumRenewableLifetime )
320     {
321         this.maximumRenewableLifetime = maximumRenewableLifetime;
322     }
323 
324 
325     /**
326      * @param maximumTicketLifetime the maximumTicketLifetime to set
327      */
328     public void setMaximumTicketLifetime( long maximumTicketLifetime )
329     {
330         this.maximumTicketLifetime = maximumTicketLifetime;
331     }
332 
333 
334     /**
335      * @param primaryRealm the primaryRealm to set
336      */
337     public void setPrimaryRealm( String primaryRealm )
338     {
339         this.primaryRealm = primaryRealm;
340     }
341 
342 
343     /**
344      * Returns the primary realm.
345      *
346      * @return The primary realm.
347      */
348     public String getPrimaryRealm()
349     {
350         return primaryRealm;
351     }
352 
353 
354     /**
355      * Returns the service principal for this KDC/changepwd service.
356      *
357      * @return The service principal for this KDC/changepwd service.
358      */
359     public KerberosPrincipal getServicePrincipal()
360     {
361         if ( srvPrincipal == null )
362         {
363             srvPrincipal = new KerberosPrincipal( servicePrincipal, PrincipalNameType.KRB_NT_SRV_INST.getValue() );
364         }
365 
366         return srvPrincipal;
367     }
368 
369 
370     /**
371      * Returns the encryption types.
372      *
373      * @return The encryption types.
374      */
375     public Set<EncryptionType> getEncryptionTypes()
376     {
377         return encryptionTypes;
378     }
379 
380 
381     /**
382      * Returns whether pre-authentication by encrypted timestamp is required.
383      *
384      * @return Whether pre-authentication by encrypted timestamp is required.
385      */
386     public boolean isPaEncTimestampRequired()
387     {
388         return isPaEncTimestampRequired;
389     }
390 
391 
392     /**
393      * @return the isBodyChecksumVerified
394      */
395     public boolean isBodyChecksumVerified()
396     {
397         return isBodyChecksumVerified;
398     }
399 
400 
401     /**
402      * @param isBodyChecksumVerified the isBodyChecksumVerified to set
403      */
404     public void setBodyChecksumVerified( boolean isBodyChecksumVerified )
405     {
406         this.isBodyChecksumVerified = isBodyChecksumVerified;
407     }
408 
409 
410     public String getSearchBaseDn()
411     {
412         return searchBaseDn;
413     }
414 
415 
416     public void setSearchBaseDn( String searchBaseDn )
417     {
418         this.searchBaseDn = searchBaseDn;
419     }
420 
421 
422     public long getMinimumTicketLifetime()
423     {
424         return minimumTicketLifetime;
425     }
426 
427 
428     public void setMinimumTicketLifetime( long minimumTicketLifetime )
429     {
430         this.minimumTicketLifetime = minimumTicketLifetime;
431     }
432 
433 
434     /**
435      * Construct an HashSet containing the default encryption types
436      */
437     private void prepareEncryptionTypes()
438     {
439         String[] encryptionTypeStrings = KerberosConfig.DEFAULT_ENCRYPTION_TYPES;
440 
441         encryptionTypes = new HashSet<>();
442 
443         for ( String enc : encryptionTypeStrings )
444         {
445             for ( EncryptionType type : EncryptionType.getEncryptionTypes() )
446             {
447                 if ( type.getName().equalsIgnoreCase( enc ) )
448                 {
449                     encryptionTypes.add( type );
450                 }
451             }
452         }
453 
454         encryptionTypes = KerberosUtils.orderEtypesByStrength( encryptionTypes );
455     }
456 }