Documentation ¶
Overview ¶
Package service provides server side integrations for Kerberos authentication.
Index ¶
- func ClientAddress(h types.HostAddress) func(*Settings)
- func DecodePAC(b bool) func(*Settings)
- func KeytabPrincipal(p string) func(*Settings)
- func Logger(l *log.Logger) func(*Settings)
- func MaxClockSkew(d time.Duration) func(*Settings)
- func RequireHostAddr(b bool) func(*Settings)
- func SName(sname string) func(*Settings)
- func SessionManager(sm SessionMgr) func(*Settings)
- func VerifyAPREQ(APReq *messages.APReq, s *Settings) (bool, *credentials.Credentials, error)
- type Cache
- type KRB5BasicAuthenticator
- type SessionMgr
- type Settings
- func (s *Settings) ClientAddress() types.HostAddress
- func (s *Settings) DecodePAC() bool
- func (s *Settings) KeytabPrincipal() *types.PrincipalName
- func (s *Settings) Logger() *log.Logger
- func (s *Settings) MaxClockSkew() time.Duration
- func (s *Settings) RequireHostAddr() bool
- func (s *Settings) SName() string
- func (s *Settings) SessionManager() SessionMgr
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func ClientAddress ¶
func ClientAddress(h types.HostAddress) func(*Settings)
ClientAddress used to configure service side with the clients host address to be used during validation.
s := NewSettings(kt, ClientAddress(h))
func DecodePAC ¶
DecodePAC used to configure service side to enable/disable PAC decoding if the PAC is present. Defaults to enabled if not specified.
s := NewSettings(kt, DecodePAC(false))
func KeytabPrincipal ¶
KeytabPrincipal used to override the principal name used to find the key in the keytab.
s := NewSettings(kt, KeytabPrincipal("someaccount"))
func MaxClockSkew ¶
MaxClockSkew used to configure service side with the maximum acceptable clock skew between the service and the issue time of kerberos tickets
s := NewSettings(kt, MaxClockSkew(d))
func RequireHostAddr ¶
RequireHostAddr used to configure service side to required host addresses to be specified in Kerberos tickets.
s := NewSettings(kt, RequireHostAddr(true))
func SName ¶
SName used provide a specific service name to the service settings.
s := NewSettings(kt, SName("HTTP/some.service.com"))
func SessionManager ¶
func SessionManager(sm SessionMgr) func(*Settings)
SessionManager configures a session manager to establish sessions with clients to avoid excessive authentication challenges.
s := NewSettings(kt, SessionManager(sm))
func VerifyAPREQ ¶
func VerifyAPREQ(APReq *messages.APReq, s *Settings) (bool, *credentials.Credentials, error)
VerifyAPREQ verifies an AP_REQ sent to the service. Returns a boolean for if the AP_REQ is valid and the client's principal name and realm.
Types ¶
type Cache ¶
type Cache struct {
// contains filtered or unexported fields
}
Cache for tickets received from clients keyed by fully qualified client name. Used to track replay of tickets.
func GetReplayCache ¶
GetReplayCache returns a pointer to the Cache singleton.
func (*Cache) AddEntry ¶
func (c *Cache) AddEntry(sname types.PrincipalName, a types.Authenticator)
AddEntry adds an entry to the Cache.
func (*Cache) ClearOldEntries ¶
ClearOldEntries clears entries from the Cache that are older than the duration provided.
func (*Cache) IsReplay ¶
func (c *Cache) IsReplay(sname types.PrincipalName, a types.Authenticator) bool
IsReplay tests if the Authenticator provided is a replay within the duration defined. If this is not a replay add the entry to the cache for tracking.
type KRB5BasicAuthenticator ¶
type KRB5BasicAuthenticator struct { BasicHeaderValue string // contains filtered or unexported fields }
KRB5BasicAuthenticator implements gokrb5.com/jcmturner/goidentity.Authenticator interface. It takes username and password so can be used for basic authentication.
func NewKRB5BasicAuthenticator ¶
func NewKRB5BasicAuthenticator(headerVal string, krb5conf *config.Config, serviceSettings *Settings, clientSettings *client.Settings) KRB5BasicAuthenticator
NewKRB5BasicAuthenticator creates a new NewKRB5BasicAuthenticator
func (KRB5BasicAuthenticator) Authenticate ¶
func (a KRB5BasicAuthenticator) Authenticate() (i goidentity.Identity, ok bool, err error)
Authenticate and return the identity. The boolean indicates if the authentication was successful.
func (KRB5BasicAuthenticator) Mechanism ¶
func (a KRB5BasicAuthenticator) Mechanism() string
Mechanism returns the authentication mechanism.
type SessionMgr ¶
type SessionMgr interface { New(w http.ResponseWriter, r *http.Request, k string, v []byte) error Get(r *http.Request, k string) ([]byte, error) }
SessionMgr must provide a ways to:
- Create new sessions and in the process add a value to the session under the key provided.
- Get an existing session returning the value in the session under the key provided. Return nil bytes and/or error if there is no session.
type Settings ¶
Settings defines service side configuration settings.
func NewSettings ¶
NewSettings creates a new service Settings.
func (*Settings) ClientAddress ¶
func (s *Settings) ClientAddress() types.HostAddress
ClientAddress returns the client host address which has been provided to the service.
func (*Settings) DecodePAC ¶
DecodePAC indicates whether the service should decode any PAC information present in the ticket.
func (*Settings) KeytabPrincipal ¶
func (s *Settings) KeytabPrincipal() *types.PrincipalName
KeytabPrincipal returns the principal name used to find the key in the keytab if it has been overridden.
func (*Settings) Logger ¶
Logger returns the logger instances configured for the service. If none is configured nill will be returned.
func (*Settings) MaxClockSkew ¶
MaxClockSkew returns the maximum acceptable clock skew between the service and the issue time of kerberos tickets. If none is defined a duration of 5 minutes is returned.
func (*Settings) RequireHostAddr ¶
RequireHostAddr indicates if the service should require the host address to be included in the ticket.
func (*Settings) SessionManager ¶
func (s *Settings) SessionManager() SessionMgr
SessionManager returns any configured session manager.