Documentation ¶
Overview ¶
Package service provides server side integrations for Kerberos authentication.
Index ¶
- Constants
- func SPNEGOKRB5Authenticate(f http.Handler, kt keytab.Keytab, ktprinc string, requireHostAddr bool, ...) http.Handler
- func ValidateAPREQ(APReq messages.APReq, kt keytab.Keytab, sa string, cAddr string, ...) (bool, credentials.Credentials, error)
- type Cache
- type KRB5BasicAuthenticator
- type SPNEGOAuthenticator
Constants ¶
const ( // CTXKeyAuthenticated is the request context key holding a boolean indicating if the request has been authenticated. CTXKeyAuthenticated ctxKey = 0 // CTXKeyCredentials is the request context key holding the credentials gopkg.in/jcmturner/goidentity.v2/Identity object. CTXKeyCredentials ctxKey = 1 // HTTPHeaderAuthRequest is the header that will hold authn/z information. HTTPHeaderAuthRequest = "Authorization" // HTTPHeaderAuthResponse is the header that will hold SPNEGO data from the server. HTTPHeaderAuthResponse = "WWW-Authenticate" // HTTPHeaderAuthResponseValueKey is the key in the auth header for SPNEGO. HTTPHeaderAuthResponseValueKey = "Negotiate" UnauthorizedMsg = "Unauthorised.\n" )
Variables ¶
This section is empty.
Functions ¶
func SPNEGOKRB5Authenticate ¶
func SPNEGOKRB5Authenticate(f http.Handler, kt keytab.Keytab, ktprinc string, requireHostAddr bool, l *log.Logger) http.Handler
SPNEGOKRB5Authenticate is a Kerberos SPNEGO authentication HTTP handler wrapper.
kt - keytab for the service user
ktprinc - keytab principal override for the service. The service looks for this principal in the keytab to use to decrypt tickets. If "" is passed as ktprinc then the principal will be automatically derived from the service name (SName) and realm in the ticket the service is trying to decrypt. This is often sufficient if you create the SPN in MIT KDC with: /usr/sbin/kadmin.local -q "add_principal HTTP/<fqdn>" When Active Directory is used for the KDC this may need to be the account name you have set the SPN against (setspn.exe -a "HTTP/<fqdn>" <account name>) If you are unsure run:
klist -k <service's keytab file>
and use the value from the Principal column for the keytab entry the service should use.
func ValidateAPREQ ¶
func ValidateAPREQ(APReq messages.APReq, kt keytab.Keytab, sa string, cAddr string, requireHostAddr bool) (bool, credentials.Credentials, error)
ValidateAPREQ validates an AP_REQ sent to the service. Returns a boolean for if the AP_REQ is valid and the client's principal name and realm.
Types ¶
type Cache ¶
type Cache struct { Entries map[string]clientEntries // contains filtered or unexported fields }
Cache for tickets received from clients keyed by fully qualified client name. Used to track replay of tickets.
func GetReplayCache ¶
GetReplayCache returns a pointer to the Cache singleton.
func (*Cache) AddEntry ¶
func (c *Cache) AddEntry(sname types.PrincipalName, a types.Authenticator)
AddEntry adds an entry to the Cache.
func (*Cache) ClearOldEntries ¶
ClearOldEntries clears entries from the Cache that are older than the duration provided.
func (*Cache) IsReplay ¶
func (c *Cache) IsReplay(sname types.PrincipalName, a types.Authenticator) bool
IsReplay tests if the Authenticator provided is a replay within the duration defined. If this is not a replay add the entry to the cache for tracking.
type KRB5BasicAuthenticator ¶
type KRB5BasicAuthenticator struct { BasicHeaderValue string ServiceKeytab *keytab.Keytab ServiceAccount string Config *config.Config SPN string // contains filtered or unexported fields }
KRB5BasicAuthenticator implements gopkg.in/jcmturner/goidentity.v2.Authenticator interface. It takes username and password so can be used for basic authentication.
func (KRB5BasicAuthenticator) Authenticate ¶
func (a KRB5BasicAuthenticator) Authenticate() (i goidentity.Identity, ok bool, err error)
Authenticate and return the identity. The boolean indicates if the authentication was successful.
func (KRB5BasicAuthenticator) Mechanism ¶
func (a KRB5BasicAuthenticator) Mechanism() string
Mechanism returns the authentication mechanism.
type SPNEGOAuthenticator ¶
type SPNEGOAuthenticator struct { SPNEGOHeaderValue string Keytab *keytab.Keytab ServiceAccount string ClientAddr string RequireHostAddr bool }
SPNEGOAuthenticator implements gopkg.in/jcmturner/goidentity.v2.Authenticator interface
func (SPNEGOAuthenticator) Authenticate ¶
func (a SPNEGOAuthenticator) Authenticate() (i goidentity.Identity, ok bool, err error)
Authenticate and retrieve a goidentity.Identity. In this case it is a pointer to a credentials.Credentials
func (SPNEGOAuthenticator) Mechanism ¶
func (a SPNEGOAuthenticator) Mechanism() string
Mechanism returns the authentication mechanism.