Documentation ¶
Overview ¶
Package client provides a client library and methods for Kerberos 5 authentication.
Index ¶
- func SetSPNEGOHeader(creds credentials.Credentials, tkt messages.Ticket, ...) error
- type Cache
- type CacheEntry
- type Client
- func (cl *Client) ASExchange(realm string, referral int) error
- func (cl *Client) AddSession(tkt messages.Ticket, dep messages.EncKDCRepPart)
- func (cl *Client) GetCachedTicket(spn string) (messages.Ticket, types.EncryptionKey, bool)
- func (cl *Client) GetServiceTicket(spn string) (messages.Ticket, types.EncryptionKey, error)
- func (cl *Client) GetSessionFromPrincipalName(spn types.PrincipalName) (*session, error)
- func (cl *Client) GetSessionFromRealm(realm string) (*session, error)
- func (cl *Client) IsConfigured() (bool, error)
- func (cl *Client) Key(etype etype.EType, krberr messages.KRBError) (types.EncryptionKey, error)
- func (cl *Client) LoadConfig(cfgPath string) (*Client, error)
- func (cl *Client) Login() error
- func (cl *Client) RenewTicket(e CacheEntry) (CacheEntry, error)
- func (cl *Client) SendToKDC(b []byte, realm string) ([]byte, error)
- func (cl *Client) SetSPNEGOHeader(r *http.Request, spn string) error
- func (cl *Client) TGSExchange(spn types.PrincipalName, kdcRealm string, tkt messages.Ticket, ...) (tgsReq messages.TGSReq, tgsRep messages.TGSRep, err error)
- func (cl *Client) WithConfig(cfg *config.Config) *Client
- func (cl *Client) WithKeytab(kt keytab.Keytab) *Client
- func (cl *Client) WithPassword(password string) *Client
- type Config
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func SetSPNEGOHeader ¶ added in v1.0.0
func SetSPNEGOHeader(creds credentials.Credentials, tkt messages.Ticket, sessionKey types.EncryptionKey, r *http.Request) error
SetSPNEGOHeader sets the provided ticket as the SPNEGO authorization header on HTTP request object.
Types ¶
type Cache ¶
type Cache struct { Entries map[string]CacheEntry // contains filtered or unexported fields }
Cache for client tickets.
func (*Cache) RemoveEntry ¶
RemoveEntry removes the cache entry for the defined SPN.
type CacheEntry ¶
type CacheEntry struct { Ticket messages.Ticket AuthTime time.Time StartTime time.Time EndTime time.Time RenewTill time.Time SessionKey types.EncryptionKey }
CacheEntry holds details for a client cache entry.
type Client ¶
type Client struct { Credentials *credentials.Credentials Config *config.Config GoKrb5Conf *Config Cache *Cache // contains filtered or unexported fields }
Client side configuration and state.
func NewClientFromCCache ¶
func NewClientFromCCache(c credentials.CCache) (Client, error)
NewClientFromCCache create a client from a populated client cache.
WARNING: If you do not add a keytab or password to the client then the TGT cannot be renewed and a failure will occur after the TGT expires.
func NewClientWithKeytab ¶
NewClientWithKeytab creates a new client from a keytab credential.
func NewClientWithPassword ¶
NewClientWithPassword creates a new client from a password credential. Set the realm to empty string to use the default realm from config.
func (*Client) ASExchange ¶
ASExchange performs an AS exchange for the client to retrieve a TGT.
func (*Client) AddSession ¶ added in v1.2.0
func (cl *Client) AddSession(tkt messages.Ticket, dep messages.EncKDCRepPart)
AddSession adds a session for a realm with a TGT to the client's session cache. A goroutine is started to automatically renew the TGT before expiry.
func (*Client) GetCachedTicket ¶
GetCachedTicket returns a ticket from the cache for the SPN. Only a ticket that is currently valid will be returned.
func (*Client) GetServiceTicket ¶
GetServiceTicket makes a request to get a service ticket for the SPN specified SPN format: <SERVICE>/<FQDN> Eg. HTTP/www.example.com The ticket will be added to the client's ticket cache
func (*Client) GetSessionFromPrincipalName ¶ added in v1.2.0
func (cl *Client) GetSessionFromPrincipalName(spn types.PrincipalName) (*session, error)
GetSessionFromPrincipalName returns the session for the realm of the principal provided.
func (*Client) GetSessionFromRealm ¶ added in v1.2.0
GetSessionFromRealm returns the session for the realm provided.
func (*Client) IsConfigured ¶
IsConfigured indicates if the client has the values required set.
func (*Client) Key ¶
Key returns a key for the client. Preferably from a keytab and then generated from the password. The KRBError would have been returned from the KDC and must be of type KDC_ERR_PREAUTH_REQUIRED. If a KRBError is not available pass nil and a key will be returned from the credentials keytab.
func (*Client) LoadConfig ¶ added in v1.0.0
LoadConfig loads the Kerberos configuration for the client from file path specified.
func (*Client) RenewTicket ¶ added in v1.0.0
func (cl *Client) RenewTicket(e CacheEntry) (CacheEntry, error)
RenewTicket renews a cache entry ticket
func (*Client) SendToKDC ¶ added in v1.0.0
SendToKDC performs network actions to send data to the KDC.
func (*Client) SetSPNEGOHeader ¶ added in v1.0.0
SetSPNEGOHeader gets the service ticket and sets it as the SPNEGO authorization header on HTTP request object. To auto generate the SPN from the request object pass a null string "".
func (*Client) TGSExchange ¶
func (cl *Client) TGSExchange(spn types.PrincipalName, kdcRealm string, tkt messages.Ticket, sessionKey types.EncryptionKey, renewal bool, referral int) (tgsReq messages.TGSReq, tgsRep messages.TGSRep, err error)
TGSExchange performs a TGS exchange to retrieve a ticket to the specified SPN. The ticket retrieved is added to the client's cache.
func (*Client) WithConfig ¶ added in v1.0.0
WithConfig sets the Kerberos configuration for the client.
func (*Client) WithKeytab ¶ added in v1.0.0
WithKeytab adds a keytab to the client
func (*Client) WithPassword ¶ added in v1.0.0
WithPassword adds a password to the client
type Config ¶ added in v1.0.0
Config struct holds GoKRB5 specific client configurations. Set Disable_PA_FX_FAST to true to force this behaviour off. Set Assume_PA_ENC_TIMESTAMP_Required to send the PA_ENC_TIMESTAMP pro-actively rather than waiting for a KRB_ERROR response from the KDC indicating it is required.