service

package
v6.0.1+incompatible Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Sep 8, 2018 License: Apache-2.0 Imports: 20 Imported by: 0

Documentation

Overview

Package service provides server side integrations for Kerberos authentication.

Index

Constants

View Source
const (

	// CTXKeyAuthenticated is the request context key holding a boolean indicating if the request has been authenticated.
	CTXKeyAuthenticated ctxKey = 0
	// CTXKeyCredentials is the request context key holding the credentials gopkg.in/jcmturner/goidentity.v2/Identity object.
	CTXKeyCredentials ctxKey = 1
	// HTTPHeaderAuthRequest is the header that will hold authn/z information.
	HTTPHeaderAuthRequest = "Authorization"
	// HTTPHeaderAuthResponse is the header that will hold SPNEGO data from the server.
	HTTPHeaderAuthResponse = "WWW-Authenticate"
	// HTTPHeaderAuthResponseValueKey is the key in the auth header for SPNEGO.
	HTTPHeaderAuthResponseValueKey = "Negotiate"
	// UnauthorizedMsg is the message returned in the body when authentication fails.
	UnauthorizedMsg = "Unauthorised.\n"
)

Variables

This section is empty.

Functions

func SPNEGOKRB5Authenticate

func SPNEGOKRB5Authenticate(f http.Handler, c *Config, l *log.Logger) http.Handler

SPNEGOKRB5Authenticate is a Kerberos SPNEGO authentication HTTP handler wrapper.

func ValidateAPREQ

func ValidateAPREQ(APReq messages.APReq, sa SPNEGOAuthenticator) (bool, credentials.Credentials, error)

ValidateAPREQ validates an AP_REQ sent to the service. Returns a boolean for if the AP_REQ is valid and the client's principal name and realm.

Types

type Cache

type Cache struct {
	// contains filtered or unexported fields
}

Cache for tickets received from clients keyed by fully qualified client name. Used to track replay of tickets.

func GetReplayCache

func GetReplayCache(d time.Duration) *Cache

GetReplayCache returns a pointer to the Cache singleton.

func (*Cache) AddEntry

func (c *Cache) AddEntry(sname types.PrincipalName, a types.Authenticator)

AddEntry adds an entry to the Cache.

func (*Cache) ClearOldEntries

func (c *Cache) ClearOldEntries(d time.Duration)

ClearOldEntries clears entries from the Cache that are older than the duration provided.

func (*Cache) IsReplay

func (c *Cache) IsReplay(sname types.PrincipalName, a types.Authenticator) bool

IsReplay tests if the Authenticator provided is a replay within the duration defined. If this is not a replay add the entry to the cache for tracking.

type Config

type Config struct {
	Keytab             keytab.Keytab
	ServicePrincipal   string
	RequireHostAddr    bool
	DisablePACDecoding bool
}

Config for service side implementation

Keytab (mandatory) - keytab for the service user

KeytabPrincipal (optional) - keytab principal override for the service. The service looks for this principal in the keytab to use to decrypt tickets. If "" is passed as KeytabPrincipal then the principal will be automatically derived from the service name (SName) and realm in the ticket the service is trying to decrypt. This is often sufficient if you create the SPN in MIT KDC with: /usr/sbin/kadmin.local -q "add_principal HTTP/<fqdn>" When Active Directory is used for the KDC this may need to be the account name you have set the SPN against (setspn.exe -a "HTTP/<fqdn>" <account name>) If you are unsure run:

klist -k <service's keytab file>

and use the value from the Principal column for the keytab entry the service should use.

RequireHostAddr - require that the kerberos ticket must include client host IP addresses and one must match the client making the request. This is controlled in the client config with the noaddresses option (http://web.mit.edu/kerberos/krb5-latest/doc/admin/conf_files/krb5_conf.html).

DisablePACDecoding - if set to true decoding of the Microsoft PAC will be disabled.

func NewConfig

func NewConfig(kt keytab.Keytab) *Config

NewConfig creates a new kerberos service Config.

func (*Config) Authenticate

func (c *Config) Authenticate(neg, addr string) (i goidentity.Identity, ok bool, err error)

Authenticate performs authentication checks against the negotiation header value provided.

type KRB5BasicAuthenticator

type KRB5BasicAuthenticator struct {
	SPN              string
	BasicHeaderValue string
	ServiceConfig    Config
	ClientConfig     *config.Config
	// contains filtered or unexported fields
}

KRB5BasicAuthenticator implements gopkg.in/jcmturner/goidentity.v3.Authenticator interface. It takes username and password so can be used for basic authentication.

func (KRB5BasicAuthenticator) Authenticate

func (a KRB5BasicAuthenticator) Authenticate() (i goidentity.Identity, ok bool, err error)

Authenticate and return the identity. The boolean indicates if the authentication was successful.

func (KRB5BasicAuthenticator) Mechanism

func (a KRB5BasicAuthenticator) Mechanism() string

Mechanism returns the authentication mechanism.

type SPNEGOAuthenticator

type SPNEGOAuthenticator struct {
	SPNEGOHeaderValue string
	ClientAddr        string
	Config            *Config
}

SPNEGOAuthenticator implements gopkg.in/jcmturner/goidentity.v3.Authenticator interface

func NewSPNEGOAuthenticator

func NewSPNEGOAuthenticator(kt keytab.Keytab) (a SPNEGOAuthenticator)

NewSPNEGOAuthenticator creates a new SPNEGOAuthenticator.

func (SPNEGOAuthenticator) Authenticate

func (a SPNEGOAuthenticator) Authenticate() (i goidentity.Identity, ok bool, err error)

Authenticate and retrieve a goidentity.Identity. In this case it is a pointer to a credentials.Credentials

func (SPNEGOAuthenticator) Mechanism

func (a SPNEGOAuthenticator) Mechanism() string

Mechanism returns the authentication mechanism.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL