service

package
v5.2.0+incompatible Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jun 16, 2018 License: Apache-2.0 Imports: 20 Imported by: 0

Documentation

Overview

Package service provides server side integrations for Kerberos authentication.

Index

Constants

View Source
const (

	// CTXKeyAuthenticated is the request context key holding a boolean indicating if the request has been authenticated.
	CTXKeyAuthenticated ctxKey = 0
	// CTXKeyCredentials is the request context key holding the credentials gopkg.in/jcmturner/goidentity.v2/Identity object.
	CTXKeyCredentials ctxKey = 1
	// HTTPHeaderAuthRequest is the header that will hold authn/z information.
	HTTPHeaderAuthRequest = "Authorization"
	// HTTPHeaderAuthResponse is the header that will hold SPNEGO data from the server.
	HTTPHeaderAuthResponse = "WWW-Authenticate"
	// HTTPHeaderAuthResponseValueKey is the key in the auth header for SPNEGO.
	HTTPHeaderAuthResponseValueKey = "Negotiate"
	// UnauthorizedMsg is the message returned in the body when authentication fails.
	UnauthorizedMsg = "Unauthorised.\n"
)

Variables

This section is empty.

Functions

func SPNEGOKRB5Authenticate

func SPNEGOKRB5Authenticate(f http.Handler, kt keytab.Keytab, ktprinc string, requireHostAddr bool, l *log.Logger) http.Handler

SPNEGOKRB5Authenticate is a Kerberos SPNEGO authentication HTTP handler wrapper.

kt - keytab for the service user

ktprinc - keytab principal override for the service. The service looks for this principal in the keytab to use to decrypt tickets. If "" is passed as ktprinc then the principal will be automatically derived from the service name (SName) and realm in the ticket the service is trying to decrypt. This is often sufficient if you create the SPN in MIT KDC with: /usr/sbin/kadmin.local -q "add_principal HTTP/<fqdn>" When Active Directory is used for the KDC this may need to be the account name you have set the SPN against (setspn.exe -a "HTTP/<fqdn>" <account name>) If you are unsure run:

klist -k <service's keytab file>

and use the value from the Principal column for the keytab entry the service should use.

func ValidateAPREQ

func ValidateAPREQ(APReq messages.APReq, kt keytab.Keytab, sa string, cAddr string, requireHostAddr bool) (bool, credentials.Credentials, error)

ValidateAPREQ validates an AP_REQ sent to the service. Returns a boolean for if the AP_REQ is valid and the client's principal name and realm.

Types

type Cache

type Cache struct {
	Entries map[string]clientEntries
	// contains filtered or unexported fields
}

Cache for tickets received from clients keyed by fully qualified client name. Used to track replay of tickets.

func GetReplayCache

func GetReplayCache(d time.Duration) *Cache

GetReplayCache returns a pointer to the Cache singleton.

func (*Cache) AddEntry

func (c *Cache) AddEntry(sname types.PrincipalName, a types.Authenticator)

AddEntry adds an entry to the Cache.

func (*Cache) ClearOldEntries

func (c *Cache) ClearOldEntries(d time.Duration)

ClearOldEntries clears entries from the Cache that are older than the duration provided.

func (*Cache) IsReplay

func (c *Cache) IsReplay(sname types.PrincipalName, a types.Authenticator) bool

IsReplay tests if the Authenticator provided is a replay within the duration defined. If this is not a replay add the entry to the cache for tracking.

type KRB5BasicAuthenticator

type KRB5BasicAuthenticator struct {
	BasicHeaderValue string

	ServiceKeytab  *keytab.Keytab
	ServiceAccount string
	Config         *config.Config
	SPN            string
	// contains filtered or unexported fields
}

KRB5BasicAuthenticator implements gopkg.in/jcmturner/goidentity.v2.Authenticator interface. It takes username and password so can be used for basic authentication.

func (KRB5BasicAuthenticator) Authenticate

func (a KRB5BasicAuthenticator) Authenticate() (i goidentity.Identity, ok bool, err error)

Authenticate and return the identity. The boolean indicates if the authentication was successful.

func (KRB5BasicAuthenticator) Mechanism

func (a KRB5BasicAuthenticator) Mechanism() string

Mechanism returns the authentication mechanism.

type SPNEGOAuthenticator

type SPNEGOAuthenticator struct {
	SPNEGOHeaderValue string
	Keytab            *keytab.Keytab
	ServiceAccount    string
	ClientAddr        string
	RequireHostAddr   bool
}

SPNEGOAuthenticator implements gopkg.in/jcmturner/goidentity.v2.Authenticator interface

func (SPNEGOAuthenticator) Authenticate

func (a SPNEGOAuthenticator) Authenticate() (i goidentity.Identity, ok bool, err error)

Authenticate and retrieve a goidentity.Identity. In this case it is a pointer to a credentials.Credentials

func (SPNEGOAuthenticator) Mechanism

func (a SPNEGOAuthenticator) Mechanism() string

Mechanism returns the authentication mechanism.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL