Source code

001/*
002 *  Licensed to the Apache Software Foundation (ASF) under one
003 *  or more contributor license agreements.  See the NOTICE file
004 *  distributed with this work for additional information
005 *  regarding copyright ownership.  The ASF licenses this file
006 *  to you under the Apache License, Version 2.0 (the
007 *  "License"); you may not use this file except in compliance
008 *  with the License.  You may obtain a copy of the License at
009 *  
010 *    http://www.apache.org/licenses/LICENSE-2.0
011 *  
012 *  Unless required by applicable law or agreed to in writing,
013 *  software distributed under the License is distributed on an
014 *  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
015 *  KIND, either express or implied.  See the License for the
016 *  specific language governing permissions and limitations
017 *  under the License. 
018 *  
019 */
020package org.apache.directory.server.kerberos;
021
022
023import java.util.HashSet;
024import java.util.Set;
025
026import javax.security.auth.kerberos.KerberosPrincipal;
027
028import org.apache.directory.server.constants.ServerDNConstants;
029import org.apache.directory.shared.kerberos.KerberosUtils;
030import org.apache.directory.shared.kerberos.codec.types.EncryptionType;
031import org.apache.directory.shared.kerberos.codec.types.PrincipalNameType;
032
033
034/**
035 * @author <a href="mailto:dev@directory.apache.org">Apache Directory Project</a>
036 */
037public class KerberosConfig
038{
039
040    /** The default kdc service principal */
041    public static final String DEFAULT_PRINCIPAL = "krbtgt/EXAMPLE.COM@EXAMPLE.COM";
042
043    /** The default kdc realm */
044    public static final String DEFAULT_REALM = "EXAMPLE.COM";
045
046    /** The default allowable clockskew */
047    public static final long DEFAULT_ALLOWABLE_CLOCKSKEW = 5L * 60000L;
048
049    /** The default for allowing empty addresses */
050    public static final boolean DEFAULT_EMPTY_ADDRESSES_ALLOWED = true;
051
052    /** The default for requiring encrypted timestamps */
053    public static final boolean DEFAULT_PA_ENC_TIMESTAMP_REQUIRED = true;
054
055    /** The default for the maximum ticket lifetime */
056    public static final int DEFAULT_TGS_MAXIMUM_TICKET_LIFETIME = 60000 * 1440;
057
058    /** The default for the minimum ticket lifetime, 4 minutes */
059    public static final int DEFAULT_TGS_MINIMUM_TICKET_LIFETIME = 60000 * 4;
060
061    /** The default for the maximum renewable lifetime */
062    public static final int DEFAULT_TGS_MAXIMUM_RENEWABLE_LIFETIME = 60000 * 10080;
063
064    /** The default for allowing forwardable tickets */
065    public static final boolean DEFAULT_TGS_FORWARDABLE_ALLOWED = true;
066
067    /** The default for allowing proxiable tickets */
068    public static final boolean DEFAULT_TGS_PROXIABLE_ALLOWED = true;
069
070    /** The default for allowing postdated tickets */
071    public static final boolean DEFAULT_TGS_POSTDATED_ALLOWED = true;
072
073    /** The default for allowing renewable tickets */
074    public static final boolean DEFAULT_TGS_RENEWABLE_ALLOWED = true;
075
076    /** The default for verifying the body checksum */
077    public static final boolean DEFAULT_VERIFY_BODY_CHECKSUM = true;
078
079    /** The default encryption types */
080    public static final String[] DEFAULT_ENCRYPTION_TYPES = new String[]
081        { "aes128-cts-hmac-sha1-96", "des-cbc-md5", "des3-cbc-sha1-kd" };
082
083    /** The primary realm */
084    private String primaryRealm = KerberosConfig.DEFAULT_REALM;
085
086    /** The service principal name. */
087    private String servicePrincipal = KerberosConfig.DEFAULT_PRINCIPAL;
088
089    /** The allowable clock skew. */
090    private long allowableClockSkew = KerberosConfig.DEFAULT_ALLOWABLE_CLOCKSKEW;
091
092    /** Whether pre-authentication by encrypted timestamp is required. */
093    private boolean isPaEncTimestampRequired = KerberosConfig.DEFAULT_PA_ENC_TIMESTAMP_REQUIRED;
094
095    /** The maximum ticket lifetime. */
096    private long maximumTicketLifetime = KerberosConfig.DEFAULT_TGS_MAXIMUM_TICKET_LIFETIME;
097
098    /** The minimum ticket lifetime. */
099    private long minimumTicketLifetime = KerberosConfig.DEFAULT_TGS_MINIMUM_TICKET_LIFETIME;
100
101    /** The maximum renewable lifetime. */
102    private long maximumRenewableLifetime = KerberosConfig.DEFAULT_TGS_MAXIMUM_RENEWABLE_LIFETIME;
103
104    /** Whether empty addresses are allowed. */
105    private boolean isEmptyAddressesAllowed = KerberosConfig.DEFAULT_EMPTY_ADDRESSES_ALLOWED;
106
107    /** Whether forwardable addresses are allowed. */
108    private boolean isForwardableAllowed = KerberosConfig.DEFAULT_TGS_FORWARDABLE_ALLOWED;
109
110    /** Whether proxiable addresses are allowed. */
111    private boolean isProxiableAllowed = KerberosConfig.DEFAULT_TGS_PROXIABLE_ALLOWED;
112
113    /** Whether postdated tickets are allowed. */
114    private boolean isPostdatedAllowed = KerberosConfig.DEFAULT_TGS_POSTDATED_ALLOWED;
115
116    /** Whether renewable tickets are allowed. */
117    private boolean isRenewableAllowed = KerberosConfig.DEFAULT_TGS_RENEWABLE_ALLOWED;
118
119    /** Whether to verify the body checksum. */
120    private boolean isBodyChecksumVerified = KerberosConfig.DEFAULT_VERIFY_BODY_CHECKSUM;
121
122    /** The encryption types. */
123    private Set<EncryptionType> encryptionTypes;
124
125    /* cached kerberos/changepassword service principal */
126    private KerberosPrincipal srvPrincipal;
127
128    private String searchBaseDn;
129
130
131    public KerberosConfig()
132    {
133        setSearchBaseDn( ServerDNConstants.USER_EXAMPLE_COM_DN );
134        prepareEncryptionTypes();
135    }
136
137
138    /**
139     * Returns the allowable clock skew.
140     *
141     * @return The allowable clock skew.
142     */
143    public long getAllowableClockSkew()
144    {
145        return allowableClockSkew;
146    }
147
148
149    /**
150     * @return the isEmptyAddressesAllowed
151     */
152    public boolean isEmptyAddressesAllowed()
153    {
154        return isEmptyAddressesAllowed;
155    }
156
157
158    /**
159     * @return the isForwardableAllowed
160     */
161    public boolean isForwardableAllowed()
162    {
163        return isForwardableAllowed;
164    }
165
166
167    /**
168     * @return the isPostdatedAllowed
169     */
170    public boolean isPostdatedAllowed()
171    {
172        return isPostdatedAllowed;
173    }
174
175
176    /**
177     * @return the isProxiableAllowed
178     */
179    public boolean isProxiableAllowed()
180    {
181        return isProxiableAllowed;
182    }
183
184
185    /**
186     * @return the isRenewableAllowed
187     */
188    public boolean isRenewableAllowed()
189    {
190        return isRenewableAllowed;
191    }
192
193
194    /**
195     * @return the maximumRenewableLifetime
196     */
197    public long getMaximumRenewableLifetime()
198    {
199        return maximumRenewableLifetime;
200    }
201
202
203    /**
204     * @return the maximumTicketLifetime
205     */
206    public long getMaximumTicketLifetime()
207    {
208        return maximumTicketLifetime;
209    }
210
211
212    /**
213     * @param allowableClockSkew the allowableClockSkew to set
214     */
215    public void setAllowableClockSkew( long allowableClockSkew )
216    {
217        this.allowableClockSkew = allowableClockSkew;
218    }
219
220
221    /**
222     * Initialize the encryptionTypes set
223     * 
224     * @param encryptionTypes the encryptionTypes to set
225     */
226    public void setEncryptionTypes( EncryptionType[] encryptionTypes )
227    {
228        if ( encryptionTypes != null )
229        {
230            this.encryptionTypes.clear();
231
232            for ( EncryptionType encryptionType : encryptionTypes )
233            {
234                this.encryptionTypes.add( encryptionType );
235            }
236        }
237
238        this.encryptionTypes = KerberosUtils.orderEtypesByStrength( this.encryptionTypes );
239    }
240
241
242    /**
243     * Initialize the encryptionTypes set
244     * 
245     * @param encryptionTypes the encryptionTypes to set
246     */
247    public void setEncryptionTypes( Set<EncryptionType> encryptionTypes )
248    {
249        this.encryptionTypes = KerberosUtils.orderEtypesByStrength( encryptionTypes );
250    }
251
252
253    /**
254     * @param isEmptyAddressesAllowed the isEmptyAddressesAllowed to set
255     */
256    public void setEmptyAddressesAllowed( boolean isEmptyAddressesAllowed )
257    {
258        this.isEmptyAddressesAllowed = isEmptyAddressesAllowed;
259    }
260
261
262    /**
263     * @param isForwardableAllowed the isForwardableAllowed to set
264     */
265    public void setForwardableAllowed( boolean isForwardableAllowed )
266    {
267        this.isForwardableAllowed = isForwardableAllowed;
268    }
269
270
271    /**
272     * @param isPaEncTimestampRequired the isPaEncTimestampRequired to set
273     */
274    public void setPaEncTimestampRequired( boolean isPaEncTimestampRequired )
275    {
276        this.isPaEncTimestampRequired = isPaEncTimestampRequired;
277    }
278
279
280    /**
281     * @param isPostdatedAllowed the isPostdatedAllowed to set
282     */
283    public void setPostdatedAllowed( boolean isPostdatedAllowed )
284    {
285        this.isPostdatedAllowed = isPostdatedAllowed;
286    }
287
288
289    /**
290     * @param isProxiableAllowed the isProxiableAllowed to set
291     */
292    public void setProxiableAllowed( boolean isProxiableAllowed )
293    {
294        this.isProxiableAllowed = isProxiableAllowed;
295    }
296
297
298    /**
299     * @param isRenewableAllowed the isRenewableAllowed to set
300     */
301    public void setRenewableAllowed( boolean isRenewableAllowed )
302    {
303        this.isRenewableAllowed = isRenewableAllowed;
304    }
305
306
307    /**
308     * @param kdcPrincipal the kdcPrincipal to set
309     */
310    public void setServicePrincipal( String kdcPrincipal )
311    {
312        this.servicePrincipal = kdcPrincipal;
313    }
314
315
316    /**
317     * @param maximumRenewableLifetime the maximumRenewableLifetime to set
318     */
319    public void setMaximumRenewableLifetime( long maximumRenewableLifetime )
320    {
321        this.maximumRenewableLifetime = maximumRenewableLifetime;
322    }
323
324
325    /**
326     * @param maximumTicketLifetime the maximumTicketLifetime to set
327     */
328    public void setMaximumTicketLifetime( long maximumTicketLifetime )
329    {
330        this.maximumTicketLifetime = maximumTicketLifetime;
331    }
332
333
334    /**
335     * @param primaryRealm the primaryRealm to set
336     */
337    public void setPrimaryRealm( String primaryRealm )
338    {
339        this.primaryRealm = primaryRealm;
340    }
341
342
343    /**
344     * Returns the primary realm.
345     *
346     * @return The primary realm.
347     */
348    public String getPrimaryRealm()
349    {
350        return primaryRealm;
351    }
352
353
354    /**
355     * Returns the service principal for this KDC/changepwd service.
356     *
357     * @return The service principal for this KDC/changepwd service.
358     */
359    public KerberosPrincipal getServicePrincipal()
360    {
361        if ( srvPrincipal == null )
362        {
363            srvPrincipal = new KerberosPrincipal( servicePrincipal, PrincipalNameType.KRB_NT_SRV_INST.getValue() );
364        }
365
366        return srvPrincipal;
367    }
368
369
370    /**
371     * Returns the encryption types.
372     *
373     * @return The encryption types.
374     */
375    public Set<EncryptionType> getEncryptionTypes()
376    {
377        return encryptionTypes;
378    }
379
380
381    /**
382     * Returns whether pre-authentication by encrypted timestamp is required.
383     *
384     * @return Whether pre-authentication by encrypted timestamp is required.
385     */
386    public boolean isPaEncTimestampRequired()
387    {
388        return isPaEncTimestampRequired;
389    }
390
391
392    /**
393     * @return the isBodyChecksumVerified
394     */
395    public boolean isBodyChecksumVerified()
396    {
397        return isBodyChecksumVerified;
398    }
399
400
401    /**
402     * @param isBodyChecksumVerified the isBodyChecksumVerified to set
403     */
404    public void setBodyChecksumVerified( boolean isBodyChecksumVerified )
405    {
406        this.isBodyChecksumVerified = isBodyChecksumVerified;
407    }
408
409
410    public String getSearchBaseDn()
411    {
412        return searchBaseDn;
413    }
414
415
416    public void setSearchBaseDn( String searchBaseDn )
417    {
418        this.searchBaseDn = searchBaseDn;
419    }
420
421
422    public long getMinimumTicketLifetime()
423    {
424        return minimumTicketLifetime;
425    }
426
427
428    public void setMinimumTicketLifetime( long minimumTicketLifetime )
429    {
430        this.minimumTicketLifetime = minimumTicketLifetime;
431    }
432
433
434    /**
435     * Construct an HashSet containing the default encryption types
436     */
437    private void prepareEncryptionTypes()
438    {
439        String[] encryptionTypeStrings = KerberosConfig.DEFAULT_ENCRYPTION_TYPES;
440
441        encryptionTypes = new HashSet<>();
442
443        for ( String enc : encryptionTypeStrings )
444        {
445            for ( EncryptionType type : EncryptionType.getEncryptionTypes() )
446            {
447                if ( type.getName().equalsIgnoreCase( enc ) )
448                {
449                    encryptionTypes.add( type );
450                }
451            }
452        }
453
454        encryptionTypes = KerberosUtils.orderEtypesByStrength( encryptionTypes );
455    }
456}