spnego

package
v8.4.5-secman.1.0.7 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Sep 2, 2024 License: Apache-2.0 Imports: 27 Imported by: 0

Documentation

Overview

Package spnego implements the Simple and Protected GSSAPI Negotiation Mechanism for Kerberos authentication.

Index

Constants

View Source
const (

	// HTTPHeaderAuthRequest is the header that will hold authn/z information.
	HTTPHeaderAuthRequest = "Authorization"
	// HTTPHeaderAuthResponse is the header that will hold SPNEGO data from the server.
	HTTPHeaderAuthResponse = "WWW-Authenticate"
	// HTTPHeaderAuthResponseValueKey is the key in the auth header for SPNEGO.
	HTTPHeaderAuthResponseValueKey = "Negotiate"
	// UnauthorizedMsg is the message returned in the body when authentication fails.
	UnauthorizedMsg = "Unauthorised.\n"
)
View Source
const (
	TOK_ID_KRB_AP_REQ = "0100"
	TOK_ID_KRB_AP_REP = "0200"
	TOK_ID_KRB_ERROR  = "0300"
)

GSSAPI KRB5 MechToken IDs.

Variables

This section is empty.

Functions

func SPNEGOKRB5Authenticate

func SPNEGOKRB5Authenticate(inner http.Handler, kt *keytab.Keytab, settings ...func(*service.Settings)) http.Handler

SPNEGOKRB5Authenticate is a Kerberos SPNEGO authentication HTTP handler wrapper.

func SetSPNEGOHeader

func SetSPNEGOHeader(cl *client.Client, r *http.Request, spn string) error

SetSPNEGOHeader gets the service ticket and sets it as the SPNEGO authorization header on HTTP request object. To auto generate the SPN from the request object pass a null string "".

func UnmarshalNegToken

func UnmarshalNegToken(b []byte) (bool, interface{}, error)

UnmarshalNegToken umarshals and returns either a NegTokenInit or a NegTokenResp.

The boolean indicates if the response is a NegTokenInit. If error is nil and the boolean is false the response is a NegTokenResp.

Types

type Client

type Client struct {
	*http.Client
	// contains filtered or unexported fields
}

Client will negotiate authentication with a server using SPNEGO.

func NewClient

func NewClient(krb5Cl *client.Client, httpCl *http.Client, spn string) *Client

NewClient returns a SPNEGO enabled HTTP client. Be careful when passing in the *http.Client if it is beginning reused in multiple calls to this function. Ensure reuse of the provided *http.Client is for the same user as a session cookie may have been added to http.Client's cookie jar. Incorrect reuse of the provided *http.Client could lead to access to the wrong user's session.

func (*Client) Do

func (c *Client) Do(req *http.Request) (resp *http.Response, err error)

Do is the SPNEGO enabled HTTP client's equivalent of the http.Client's Do method.

func (*Client) Get

func (c *Client) Get(url string) (resp *http.Response, err error)

Get is the SPNEGO enabled HTTP client's equivalent of the http.Client's Get method.

func (*Client) Head

func (c *Client) Head(url string) (resp *http.Response, err error)

Head is the SPNEGO enabled HTTP client's equivalent of the http.Client's Head method.

func (*Client) Post

func (c *Client) Post(url, contentType string, body io.Reader) (resp *http.Response, err error)

Post is the SPNEGO enabled HTTP client's equivalent of the http.Client's Post method.

func (*Client) PostForm

func (c *Client) PostForm(url string, data url.Values) (resp *http.Response, err error)

PostForm is the SPNEGO enabled HTTP client's equivalent of the http.Client's PostForm method.

type KRB5Token

type KRB5Token struct {
	OID asn1.ObjectIdentifier

	APReq    messages.APReq
	APRep    messages.APRep
	KRBError messages.KRBError
	// contains filtered or unexported fields
}

KRB5Token context token implementation for GSSAPI.

func NewKRB5TokenAPREQ

func NewKRB5TokenAPREQ(cl *client.Client, tkt messages.Ticket, sessionKey types.EncryptionKey, GSSAPIFlags []int, APOptions []int) (KRB5Token, error)

NewKRB5TokenAPREQ creates a new KRB5 token with AP_REQ

func (*KRB5Token) Context

func (m *KRB5Token) Context() context.Context

Context returns the KRB5 token's context which will contain any verify user identity information.

func (*KRB5Token) IsAPRep

func (m *KRB5Token) IsAPRep() bool

IsAPRep tests if the MechToken contains an AP_REP.

func (*KRB5Token) IsAPReq

func (m *KRB5Token) IsAPReq() bool

IsAPReq tests if the MechToken contains an AP_REQ.

func (*KRB5Token) IsKRBError

func (m *KRB5Token) IsKRBError() bool

IsKRBError tests if the MechToken contains an KRB_ERROR.

func (*KRB5Token) Marshal

func (m *KRB5Token) Marshal() ([]byte, error)

Marshal a KRB5Token into a slice of bytes.

func (*KRB5Token) Unmarshal

func (m *KRB5Token) Unmarshal(b []byte) error

Unmarshal a KRB5Token.

func (*KRB5Token) Verify

func (m *KRB5Token) Verify() (bool, gssapi.Status)

Verify a KRB5Token.

type NegState

type NegState int

NegState is a type to indicate the SPNEGO negotiation state.

const (
	NegStateAcceptCompleted  NegState = 0
	NegStateAcceptIncomplete NegState = 1
	NegStateReject           NegState = 2
	NegStateRequestMIC       NegState = 3
)

Negotiation state values.

type NegTokenInit

type NegTokenInit struct {
	MechTypes      []asn1.ObjectIdentifier
	ReqFlags       asn1.BitString
	MechTokenBytes []byte
	MechListMIC    []byte
	// contains filtered or unexported fields
}

NegTokenInit implements Negotiation Token of type Init.

func NewNegTokenInitKRB5

func NewNegTokenInitKRB5(cl *client.Client, tkt messages.Ticket, sessionKey types.EncryptionKey) (NegTokenInit, error)

NewNegTokenInitKRB5 creates new Init negotiation token for Kerberos 5

func (*NegTokenInit) Context

func (n *NegTokenInit) Context() context.Context

Context returns the SPNEGO context which will contain any verify user identity information.

func (*NegTokenInit) Marshal

func (n *NegTokenInit) Marshal() ([]byte, error)

Marshal an Init negotiation token

func (*NegTokenInit) Unmarshal

func (n *NegTokenInit) Unmarshal(b []byte) error

Unmarshal an Init negotiation token

func (*NegTokenInit) Verify

func (n *NegTokenInit) Verify() (bool, gssapi.Status)

Verify an Init negotiation token

type NegTokenResp

type NegTokenResp struct {
	NegState      asn1.Enumerated
	SupportedMech asn1.ObjectIdentifier
	ResponseToken []byte
	MechListMIC   []byte
	// contains filtered or unexported fields
}

NegTokenResp implements Negotiation Token of type Resp/Targ

func (*NegTokenResp) Context

func (n *NegTokenResp) Context() context.Context

Context returns the SPNEGO context which will contain any verify user identity information.

func (*NegTokenResp) Marshal

func (n *NegTokenResp) Marshal() ([]byte, error)

Marshal a Resp/Targ negotiation token

func (*NegTokenResp) State

func (n *NegTokenResp) State() NegState

State returns the negotiation state of the negotiation response.

func (*NegTokenResp) Unmarshal

func (n *NegTokenResp) Unmarshal(b []byte) error

Unmarshal a Resp/Targ negotiation token

func (*NegTokenResp) Verify

func (n *NegTokenResp) Verify() (bool, gssapi.Status)

Verify a Resp/Targ negotiation token

type NegTokenTarg

type NegTokenTarg NegTokenResp

NegTokenTarg implements Negotiation Token of type Resp/Targ

type SPNEGO

type SPNEGO struct {
	// contains filtered or unexported fields
}

SPNEGO implements the GSS-API mechanism for RFC 4178

func SPNEGOClient

func SPNEGOClient(cl *client.Client, spn string) *SPNEGO

SPNEGOClient configures the SPNEGO mechanism suitable for client side use.

func SPNEGOService

func SPNEGOService(kt *keytab.Keytab, options ...func(*service.Settings)) *SPNEGO

SPNEGOService configures the SPNEGO mechanism suitable for service side use.

func (*SPNEGO) AcceptSecContext

func (s *SPNEGO) AcceptSecContext(ct gssapi.ContextToken) (bool, context.Context, gssapi.Status)

AcceptSecContext is the GSS-API method for the service to verify the context token provided by the client and establish a context.

func (*SPNEGO) AcquireCred

func (s *SPNEGO) AcquireCred() error

AcquireCred is the GSS-API method to acquire a client credential via Kerberos for SPNEGO.

func (*SPNEGO) InitSecContext

func (s *SPNEGO) InitSecContext() (gssapi.ContextToken, error)

InitSecContext is the GSS-API method for the client to a generate a context token to the service via Kerberos.

func (*SPNEGO) Log

func (s *SPNEGO) Log(format string, v ...interface{})

Log will write to the service's logger if it is configured.

func (*SPNEGO) OID

func (s *SPNEGO) OID() asn1.ObjectIdentifier

OID returns the GSS-API assigned OID for SPNEGO.

type SPNEGOToken

type SPNEGOToken struct {
	Init         bool
	Resp         bool
	NegTokenInit NegTokenInit
	NegTokenResp NegTokenResp
	// contains filtered or unexported fields
}

SPNEGOToken is a GSS-API context token

func (*SPNEGOToken) Context

func (s *SPNEGOToken) Context() context.Context

Context returns the SPNEGO context which will contain any verify user identity information.

func (*SPNEGOToken) Marshal

func (s *SPNEGOToken) Marshal() ([]byte, error)

Marshal SPNEGO context token

func (*SPNEGOToken) Unmarshal

func (s *SPNEGOToken) Unmarshal(b []byte) error

Unmarshal SPNEGO context token

func (*SPNEGOToken) Verify

func (s *SPNEGOToken) Verify() (bool, gssapi.Status)

Verify the SPNEGOToken

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL