001    /*
002     *  Licensed to the Apache Software Foundation (ASF) under one
003     *  or more contributor license agreements.  See the NOTICE file
004     *  distributed with this work for additional information
005     *  regarding copyright ownership.  The ASF licenses this file
006     *  to you under the Apache License, Version 2.0 (the
007     *  "License"); you may not use this file except in compliance
008     *  with the License.  You may obtain a copy of the License at
009     *  
010     *    http://www.apache.org/licenses/LICENSE-2.0
011     *  
012     *  Unless required by applicable law or agreed to in writing,
013     *  software distributed under the License is distributed on an
014     *  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
015     *  KIND, either express or implied.  See the License for the
016     *  specific language governing permissions and limitations
017     *  under the License. 
018     *  
019     */
020    package org.apache.directory.server.changepw.service;
021    
022    import java.io.IOException;
023    import java.io.UnsupportedEncodingException;
024    import java.net.InetAddress;
025    import java.net.UnknownHostException;
026    
027    import javax.naming.NamingException;
028    import javax.security.auth.kerberos.KerberosPrincipal;
029    
030    import org.apache.directory.server.changepw.ChangePasswordServer;
031    import org.apache.directory.server.changepw.exceptions.ChangePasswordException;
032    import org.apache.directory.server.changepw.exceptions.ErrorType;
033    import org.apache.directory.server.changepw.io.ChangePasswordDataDecoder;
034    import org.apache.directory.server.changepw.messages.ChangePasswordReply;
035    import org.apache.directory.server.changepw.messages.ChangePasswordReplyModifier;
036    import org.apache.directory.server.changepw.messages.ChangePasswordRequest;
037    import org.apache.directory.server.changepw.value.ChangePasswordData;
038    import org.apache.directory.server.changepw.value.ChangePasswordDataModifier;
039    import org.apache.directory.server.i18n.I18n;
040    import org.apache.directory.server.kerberos.shared.KerberosUtils;
041    import org.apache.directory.server.kerberos.shared.crypto.encryption.CipherTextHandler;
042    import org.apache.directory.server.kerberos.shared.crypto.encryption.EncryptionType;
043    import org.apache.directory.server.kerberos.shared.crypto.encryption.KeyUsage;
044    import org.apache.directory.server.kerberos.shared.exceptions.KerberosException;
045    import org.apache.directory.server.kerberos.shared.messages.ApplicationRequest;
046    import org.apache.directory.server.kerberos.shared.messages.application.ApplicationReply;
047    import org.apache.directory.server.kerberos.shared.messages.application.PrivateMessage;
048    import org.apache.directory.server.kerberos.shared.messages.components.Authenticator;
049    import org.apache.directory.server.kerberos.shared.messages.components.EncApRepPart;
050    import org.apache.directory.server.kerberos.shared.messages.components.EncApRepPartModifier;
051    import org.apache.directory.server.kerberos.shared.messages.components.EncKrbPrivPart;
052    import org.apache.directory.server.kerberos.shared.messages.components.EncKrbPrivPartModifier;
053    import org.apache.directory.server.kerberos.shared.messages.components.Ticket;
054    import org.apache.directory.server.kerberos.shared.messages.value.EncryptedData;
055    import org.apache.directory.server.kerberos.shared.messages.value.EncryptionKey;
056    import org.apache.directory.server.kerberos.shared.messages.value.HostAddress;
057    import org.apache.directory.server.kerberos.shared.messages.value.HostAddresses;
058    import org.apache.directory.server.kerberos.shared.replay.InMemoryReplayCache;
059    import org.apache.directory.server.kerberos.shared.replay.ReplayCache;
060    import org.apache.directory.server.kerberos.shared.store.PrincipalStore;
061    import org.apache.directory.server.kerberos.shared.store.PrincipalStoreEntry;
062    import org.apache.mina.core.session.IoSession;
063    import org.slf4j.Logger;
064    import org.slf4j.LoggerFactory;
065    
066    public class ChangePasswordService
067    {
068        /** the logger for this class */
069        private static final Logger LOG = LoggerFactory.getLogger( ChangePasswordService.class );
070    
071        private static final ReplayCache replayCache = new InMemoryReplayCache();
072        
073        private static final CipherTextHandler cipherTextHandler = new CipherTextHandler();
074    
075        
076        public static void execute( IoSession session, ChangePasswordContext changepwContext ) throws KerberosException, IOException
077        {
078            if ( LOG.isDebugEnabled() )
079            {
080                monitorRequest( changepwContext );
081            }
082            
083            configureChangePassword( changepwContext );
084            getAuthHeader( session, changepwContext );
085            verifyServiceTicket( changepwContext );
086            getServerEntry( changepwContext );
087            verifyServiceTicketAuthHeader( changepwContext );
088            extractPassword( changepwContext );
089            
090            if ( LOG.isDebugEnabled() )
091            {
092                monitorContext( changepwContext );
093            }
094            
095            processPasswordChange( changepwContext );
096            buildReply( changepwContext );
097            
098            if ( LOG.isDebugEnabled() )
099            {
100                monitorReply( changepwContext );
101            }
102        }
103        
104        
105        private static void processPasswordChange( ChangePasswordContext changepwContext ) throws KerberosException
106        {
107            PrincipalStore store = changepwContext.getStore();
108            Authenticator authenticator = changepwContext.getAuthenticator();
109            String newPassword = changepwContext.getPassword();
110            KerberosPrincipal clientPrincipal = authenticator.getClientPrincipal();
111    
112            // usec and seq-number must be present per MS but aren't in legacy kpasswd
113            // seq-number must have same value as authenticator
114            // ignore r-address
115    
116            try
117            {
118                String principalName = store.changePassword( clientPrincipal, newPassword );
119                LOG.debug( "Successfully modified principal {}.", principalName );
120            }
121            catch ( NamingException ne )
122            {
123                throw new ChangePasswordException( ErrorType.KRB5_KPASSWD_SOFTERROR, ne.getExplanation().getBytes(), ne );
124            }
125            catch ( Exception e )
126            {
127                throw new ChangePasswordException( ErrorType.KRB5_KPASSWD_HARDERROR, e );
128            }
129        }
130        
131        
132        private static void monitorRequest( ChangePasswordContext changepwContext ) throws KerberosException
133        {
134            try
135            {
136                ChangePasswordRequest request = ( ChangePasswordRequest ) changepwContext.getRequest();
137                short versionNumber = request.getVersionNumber();
138    
139                StringBuffer sb = new StringBuffer();
140                sb.append( "Responding to change password request:" );
141                sb.append( "\n\t" + "versionNumber    " + versionNumber );
142    
143                LOG.debug( sb.toString() );
144            }
145            catch ( Exception e )
146            {
147                // This is a monitor.  No exceptions should bubble up.
148                LOG.error( I18n.err( I18n.ERR_152 ), e );
149            }
150        }
151        
152        
153        private static void configureChangePassword( ChangePasswordContext changepwContext )
154        {
155            changepwContext.setReplayCache( replayCache );
156            changepwContext.setCipherTextHandler( cipherTextHandler );
157        }
158        
159        
160        private static void getAuthHeader( IoSession session, ChangePasswordContext changepwContext ) throws KerberosException
161        {
162            ChangePasswordRequest request = ( ChangePasswordRequest ) changepwContext.getRequest();
163    
164            if ( request.getVersionNumber() != 1 )
165            {
166                throw new ChangePasswordException( ErrorType.KRB5_KPASSWD_BAD_VERSION );
167            }
168    
169            if ( request.getAuthHeader() == null || request.getAuthHeader().getTicket() == null )
170            {
171                throw new ChangePasswordException( ErrorType.KRB5_KPASSWD_AUTHERROR );
172            }
173    
174            ApplicationRequest authHeader = request.getAuthHeader();
175            Ticket ticket = authHeader.getTicket();
176    
177            changepwContext.setAuthHeader( authHeader );
178            changepwContext.setTicket( ticket );
179        }
180        
181        
182        private static void verifyServiceTicket( ChangePasswordContext changepwContext ) throws KerberosException
183        {
184            ChangePasswordServer config = changepwContext.getConfig();
185            Ticket ticket = changepwContext.getTicket();
186            String primaryRealm = config.getPrimaryRealm();
187            KerberosPrincipal changepwPrincipal = config.getServicePrincipal();
188            KerberosPrincipal serverPrincipal = ticket.getServerPrincipal(); 
189    
190            if ( !ticket.getRealm().equals( primaryRealm ) || !serverPrincipal.equals( changepwPrincipal ) )
191            {
192                throw new KerberosException( org.apache.directory.server.kerberos.shared.exceptions.ErrorType.KRB_AP_ERR_NOT_US );
193            }
194        }
195        
196        
197        private static void getServerEntry( ChangePasswordContext changepwContext ) throws KerberosException
198        {
199            KerberosPrincipal principal =  changepwContext.getTicket().getServerPrincipal();
200            PrincipalStore store = changepwContext.getStore();
201    
202            changepwContext.setServerEntry( KerberosUtils.getEntry( principal, store, org.apache.directory.server.kerberos.shared.exceptions.ErrorType.KDC_ERR_S_PRINCIPAL_UNKNOWN ) );
203        }
204        
205        
206        private static void verifyServiceTicketAuthHeader( ChangePasswordContext changepwContext ) throws KerberosException
207        {
208            ApplicationRequest authHeader = changepwContext.getAuthHeader();
209            Ticket ticket = changepwContext.getTicket();
210    
211            EncryptionType encryptionType = ticket.getEncPart().getEType();
212            EncryptionKey serverKey = changepwContext.getServerEntry().getKeyMap().get( encryptionType );
213    
214            long clockSkew = changepwContext.getConfig().getAllowableClockSkew();
215            ReplayCache replayCache = changepwContext.getReplayCache();
216            boolean emptyAddressesAllowed = changepwContext.getConfig().isEmptyAddressesAllowed();
217            InetAddress clientAddress = changepwContext.getClientAddress();
218            CipherTextHandler cipherTextHandler = changepwContext.getCipherTextHandler();
219    
220            Authenticator authenticator = KerberosUtils.verifyAuthHeader( authHeader, ticket, serverKey, clockSkew, replayCache,
221                emptyAddressesAllowed, clientAddress, cipherTextHandler, KeyUsage.NUMBER11, false );
222    
223            ChangePasswordRequest request = ( ChangePasswordRequest ) changepwContext.getRequest();
224    
225            if ( request.getVersionNumber() == 1 && !ticket.getEncTicketPart().getFlags().isInitial() )
226            {
227                throw new ChangePasswordException( ErrorType.KRB5_KPASSWD_INITIAL_FLAG_NEEDED );
228            }
229    
230            changepwContext.setAuthenticator( authenticator );
231        }
232        
233        
234        private static void extractPassword( ChangePasswordContext changepwContext ) throws KerberosException, IOException
235        {
236            ChangePasswordRequest request = ( ChangePasswordRequest ) changepwContext.getRequest();
237            Authenticator authenticator = changepwContext.getAuthenticator();
238            CipherTextHandler cipherTextHandler = changepwContext.getCipherTextHandler();
239    
240            // TODO - check ticket is for service authorized to change passwords
241            // ticket.getServerPrincipal().getName().equals(config.getChangepwPrincipal().getName()));
242    
243            // TODO - check client principal in ticket is authorized to change password
244    
245            // get the subsession key from the Authenticator
246            EncryptionKey subSessionKey = authenticator.getSubSessionKey();
247    
248            // decrypt the request's private message with the subsession key
249            EncryptedData encReqPrivPart = request.getPrivateMessage().getEncryptedPart();
250    
251            EncKrbPrivPart privatePart;
252    
253            try
254            {
255                privatePart = ( EncKrbPrivPart ) cipherTextHandler.unseal( EncKrbPrivPart.class, subSessionKey,
256                    encReqPrivPart, KeyUsage.NUMBER13 );
257            }
258            catch ( KerberosException ke )
259            {
260                throw new ChangePasswordException( ErrorType.KRB5_KPASSWD_SOFTERROR, ke );
261            }
262    
263            ChangePasswordData passwordData = null;
264    
265            if ( request.getVersionNumber() == ( short ) 1 )
266            {
267                // Use protocol version 0x0001, the legacy Kerberos change password protocol
268                ChangePasswordDataModifier modifier = new ChangePasswordDataModifier();
269                modifier.setNewPassword( privatePart.getUserData() );
270                passwordData = modifier.getChangePasswdData();
271            }
272            else
273            {
274                // Use protocol version 0xFF80, the backwards-compatible MS protocol
275                ChangePasswordDataDecoder passwordDecoder = new ChangePasswordDataDecoder();
276                passwordData = passwordDecoder.decodeChangePasswordData( privatePart.getUserData() );
277            }
278    
279            try
280            {
281                changepwContext.setPassword( new String( passwordData.getPassword(), "UTF-8" ) );
282            }
283            catch ( UnsupportedEncodingException uee )
284            {
285                throw new ChangePasswordException( ErrorType.KRB5_KPASSWD_SOFTERROR, uee );
286            }
287        }
288    
289        
290        private static void monitorContext( ChangePasswordContext changepwContext ) throws KerberosException
291        {
292            try
293            {
294                PrincipalStore store = changepwContext.getStore();
295                ApplicationRequest authHeader = changepwContext.getAuthHeader();
296                Ticket ticket = changepwContext.getTicket();
297                ReplayCache replayCache = changepwContext.getReplayCache();
298                long clockSkew = changepwContext.getConfig().getAllowableClockSkew();
299    
300                Authenticator authenticator = changepwContext.getAuthenticator();
301                KerberosPrincipal clientPrincipal = authenticator.getClientPrincipal();
302                String desiredPassword = changepwContext.getPassword();
303    
304                InetAddress clientAddress = changepwContext.getClientAddress();
305                HostAddresses clientAddresses = ticket.getEncTicketPart().getClientAddresses();
306    
307                boolean caddrContainsSender = false;
308    
309                if ( ticket.getEncTicketPart().getClientAddresses() != null )
310                {
311                    caddrContainsSender = ticket.getEncTicketPart().getClientAddresses().contains( new HostAddress( clientAddress ) );
312                }
313    
314                StringBuffer sb = new StringBuffer();
315                sb.append( "Monitoring context:" );
316                sb.append( "\n\t" + "store                  " + store );
317                sb.append( "\n\t" + "authHeader             " + authHeader );
318                sb.append( "\n\t" + "ticket                 " + ticket );
319                sb.append( "\n\t" + "replayCache            " + replayCache );
320                sb.append( "\n\t" + "clockSkew              " + clockSkew );
321                sb.append( "\n\t" + "clientPrincipal        " + clientPrincipal );
322                sb.append( "\n\t" + "desiredPassword        " + desiredPassword );
323                sb.append( "\n\t" + "clientAddress          " + clientAddress );
324                sb.append( "\n\t" + "clientAddresses        " + clientAddresses );
325                sb.append( "\n\t" + "caddr contains sender  " + caddrContainsSender );
326                sb.append( "\n\t" + "Ticket principal       " + ticket.getServerPrincipal() );
327    
328                PrincipalStoreEntry ticketPrincipal = changepwContext.getServerEntry();
329                
330                sb.append( "\n\t" + "cn                     " + ticketPrincipal.getCommonName() );
331                sb.append( "\n\t" + "realm                  " + ticketPrincipal.getRealmName() );
332                sb.append( "\n\t" + "Service principal      " + ticketPrincipal.getPrincipal() );
333                sb.append( "\n\t" + "SAM type               " + ticketPrincipal.getSamType() );
334    
335                EncryptionType encryptionType = ticket.getEncPart().getEType();
336                int keyVersion = ticketPrincipal.getKeyMap().get( encryptionType ).getKeyVersion();
337                sb.append( "\n\t" + "Ticket key type        " + encryptionType );
338                sb.append( "\n\t" + "Service key version    " + keyVersion );
339    
340                LOG.debug( sb.toString() );
341            }
342            catch ( Exception e )
343            {
344                // This is a monitor.  No exceptions should bubble up.
345                LOG.error( I18n.err( I18n.ERR_154 ), e );
346            }
347        }
348        
349        
350        private static void buildReply( ChangePasswordContext changepwContext ) throws KerberosException, UnknownHostException
351        {
352            Authenticator authenticator = changepwContext.getAuthenticator();
353            Ticket ticket = changepwContext.getTicket();
354            CipherTextHandler cipherTextHandler = changepwContext.getCipherTextHandler();
355    
356            // begin building reply
357    
358            // create priv message
359            // user-data component is short result code
360            EncKrbPrivPartModifier modifier = new EncKrbPrivPartModifier();
361            byte[] resultCode =
362                { ( byte ) 0x00, ( byte ) 0x00 };
363            modifier.setUserData( resultCode );
364    
365            modifier.setSenderAddress( new HostAddress( InetAddress.getLocalHost() ) );
366            EncKrbPrivPart privPart = modifier.getEncKrbPrivPart();
367    
368            // get the subsession key from the Authenticator
369            EncryptionKey subSessionKey = authenticator.getSubSessionKey();
370    
371            EncryptedData encPrivPart;
372    
373            try
374            {
375                encPrivPart = cipherTextHandler.seal( subSessionKey, privPart, KeyUsage.NUMBER13 );
376            }
377            catch ( KerberosException ke )
378            {
379                throw new ChangePasswordException( ErrorType.KRB5_KPASSWD_SOFTERROR, ke );
380            }
381    
382            PrivateMessage privateMessage = new PrivateMessage( encPrivPart );
383    
384            // Begin AP_REP generation
385            EncApRepPartModifier encApModifier = new EncApRepPartModifier();
386            encApModifier.setClientTime( authenticator.getClientTime() );
387            encApModifier.setClientMicroSecond( authenticator.getClientMicroSecond() );
388            encApModifier.setSequenceNumber( new Integer( authenticator.getSequenceNumber() ) );
389            encApModifier.setSubSessionKey( authenticator.getSubSessionKey() );
390    
391            EncApRepPart repPart = encApModifier.getEncApRepPart();
392    
393            EncryptedData encRepPart;
394    
395            try
396            {
397                encRepPart = cipherTextHandler.seal( ticket.getEncTicketPart().getSessionKey(), repPart, KeyUsage.NUMBER12 );
398            }
399            catch ( KerberosException ke )
400            {
401                throw new ChangePasswordException( ErrorType.KRB5_KPASSWD_SOFTERROR, ke );
402            }
403    
404            ApplicationReply appReply = new ApplicationReply( encRepPart );
405    
406            // return status message value object
407            ChangePasswordReplyModifier replyModifier = new ChangePasswordReplyModifier();
408            replyModifier.setApplicationReply( appReply );
409            replyModifier.setPrivateMessage( privateMessage );
410    
411            changepwContext.setReply( replyModifier.getChangePasswordReply() );
412        }
413    
414        
415        private static void monitorReply( ChangePasswordContext changepwContext ) throws KerberosException
416        {
417            try
418            {
419                ChangePasswordReply reply = ( ChangePasswordReply ) changepwContext.getReply();
420                ApplicationReply appReply = reply.getApplicationReply();
421                PrivateMessage priv = reply.getPrivateMessage();
422    
423                StringBuilder sb = new StringBuilder();
424                sb.append( "Responding with change password reply:" );
425                sb.append( "\n\t" + "appReply               " + appReply );
426                sb.append( "\n\t" + "priv                   " + priv );
427    
428                LOG.debug( sb.toString() );
429            }
430            catch ( Exception e )
431            {
432                // This is a monitor.  No exceptions should bubble up.
433                LOG.error( I18n.err( I18n.ERR_155 ), e );
434            }
435        }
436    }