spnego

package
v8.4.4 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Feb 25, 2023 License: Apache-2.0 Imports: 27 Imported by: 94

Documentation

Overview

Package spnego implements the Simple and Protected GSSAPI Negotiation Mechanism for Kerberos authentication.

Index

Constants

View Source 
const (

	// HTTPHeaderAuthRequest is the header that will hold authn/z information.
	HTTPHeaderAuthRequest = "Authorization"
	// HTTPHeaderAuthResponse is the header that will hold SPNEGO data from the server.
	HTTPHeaderAuthResponse = "WWW-Authenticate"
	// HTTPHeaderAuthResponseValueKey is the key in the auth header for SPNEGO.
	HTTPHeaderAuthResponseValueKey = "Negotiate"
	// UnauthorizedMsg is the message returned in the body when authentication fails.
	UnauthorizedMsg = "Unauthorised.\n"
)
View Source 
const (
	TOK_ID_KRB_AP_REQ = "0100"
	TOK_ID_KRB_AP_REP = "0200"
	TOK_ID_KRB_ERROR  = "0300"
)

GSSAPI KRB5 MechToken IDs.

Variables

This section is empty.

Functions

func SPNEGOKRB5Authenticate 

func SPNEGOKRB5Authenticate(inner http.Handler, kt *keytab.Keytab, settings ...func(*service.Settings)) http.Handler

SPNEGOKRB5Authenticate is a Kerberos SPNEGO authentication HTTP handler wrapper.

func SetSPNEGOHeader 

func SetSPNEGOHeader(cl *client.Client, r *http.Request, spn string) error

SetSPNEGOHeader gets the service ticket and sets it as the SPNEGO authorization header on HTTP request object. To auto generate the SPN from the request object pass a null string "".

func UnmarshalNegToken 

func UnmarshalNegToken(b []byte) (bool, interface{}, error)

UnmarshalNegToken umarshals and returns either a NegTokenInit or a NegTokenResp.

The boolean indicates if the response is a NegTokenInit. If error is nil and the boolean is false the response is a NegTokenResp.

Types

type Client 

type Client struct {
	*http.Client
	// contains filtered or unexported fields
}

Client will negotiate authentication with a server using SPNEGO.

func NewClient 

func NewClient(krb5Cl *client.Client, httpCl *http.Client, spn string) *Client

NewClient returns a SPNEGO enabled HTTP client. Be careful when passing in the *http.Client if it is beginning reused in multiple calls to this function. Ensure reuse of the provided *http.Client is for the same user as a session cookie may have been added to http.Client's cookie jar. Incorrect reuse of the provided *http.Client could lead to access to the wrong user's session.

func (*Client) Do 

func (c *Client) Do(req *http.Request) (resp *http.Response, err error)

Do is the SPNEGO enabled HTTP client's equivalent of the http.Client's Do method.

func (*Client) Get 

func (c *Client) Get(url string) (resp *http.Response, err error)

Get is the SPNEGO enabled HTTP client's equivalent of the http.Client's Get method.

func (*Client) Head 

func (c *Client) Head(url string) (resp *http.Response, err error)

Head is the SPNEGO enabled HTTP client's equivalent of the http.Client's Head method.

func (*Client) Post 

func (c *Client) Post(url, contentType string, body io.Reader) (resp *http.Response, err error)

Post is the SPNEGO enabled HTTP client's equivalent of the http.Client's Post method.

func (*Client) PostForm 

func (c *Client) PostForm(url string, data url.Values) (resp *http.Response, err error)

PostForm is the SPNEGO enabled HTTP client's equivalent of the http.Client's PostForm method.

type KRB5Token 

type KRB5Token struct {
	OID asn1.ObjectIdentifier

	APReq    messages.APReq
	APRep    messages.APRep
	KRBError messages.KRBError
	// contains filtered or unexported fields
}

KRB5Token context token implementation for GSSAPI.

func NewKRB5TokenAPREQ 

func NewKRB5TokenAPREQ(cl *client.Client, tkt messages.Ticket, sessionKey types.EncryptionKey, GSSAPIFlags []int, APOptions []int) (KRB5Token, error)

NewKRB5TokenAPREQ creates a new KRB5 token with AP_REQ

func (*KRB5Token) Context 

func (m *KRB5Token) Context() context.Context

Context returns the KRB5 token's context which will contain any verify user identity information.

func (*KRB5Token) IsAPRep 

func (m *KRB5Token) IsAPRep() bool

IsAPRep tests if the MechToken contains an AP_REP.

func (*KRB5Token) IsAPReq 

func (m *KRB5Token) IsAPReq() bool

IsAPReq tests if the MechToken contains an AP_REQ.

func (*KRB5Token) IsKRBError 

func (m *KRB5Token) IsKRBError() bool

IsKRBError tests if the MechToken contains an KRB_ERROR.

func (*KRB5Token) Marshal 

func (m *KRB5Token) Marshal() ([]byte, error)

Marshal a KRB5Token into a slice of bytes.

func (*KRB5Token) Unmarshal 

func (m *KRB5Token) Unmarshal(b []byte) error

Unmarshal a KRB5Token.

func (*KRB5Token) Verify 

func (m *KRB5Token) Verify() (bool, gssapi.Status)

Verify a KRB5Token.

type NegState 

type NegState int

NegState is a type to indicate the SPNEGO negotiation state. 

const (
	NegStateAcceptCompleted  NegState = 0
	NegStateAcceptIncomplete NegState = 1
	NegStateReject           NegState = 2
	NegStateRequestMIC       NegState = 3
)

Negotiation state values.

type NegTokenInit 

type NegTokenInit struct {
	MechTypes      []asn1.ObjectIdentifier
	ReqFlags       asn1.BitString
	MechTokenBytes []byte
	MechListMIC    []byte
	// contains filtered or unexported fields
}

NegTokenInit implements Negotiation Token of type Init.

func NewNegTokenInitKRB5 

func NewNegTokenInitKRB5(cl *client.Client, tkt messages.Ticket, sessionKey types.EncryptionKey) (NegTokenInit, error)

NewNegTokenInitKRB5 creates new Init negotiation token for Kerberos 5

func (*NegTokenInit) Context 

func (n *NegTokenInit) Context() context.Context

Context returns the SPNEGO context which will contain any verify user identity information.

func (*NegTokenInit) Marshal 

func (n *NegTokenInit) Marshal() ([]byte, error)

Marshal an Init negotiation token

func (*NegTokenInit) Unmarshal 

func (n *NegTokenInit) Unmarshal(b []byte) error

Unmarshal an Init negotiation token

func (*NegTokenInit) Verify 

func (n *NegTokenInit) Verify() (bool, gssapi.Status)

Verify an Init negotiation token

type NegTokenResp 

type NegTokenResp struct {
	NegState      asn1.Enumerated
	SupportedMech asn1.ObjectIdentifier
	ResponseToken []byte
	MechListMIC   []byte
	// contains filtered or unexported fields
}

NegTokenResp implements Negotiation Token of type Resp/Targ

func (*NegTokenResp) Context 

func (n *NegTokenResp) Context() context.Context

Context returns the SPNEGO context which will contain any verify user identity information.

func (*NegTokenResp) Marshal 

func (n *NegTokenResp) Marshal() ([]byte, error)

Marshal a Resp/Targ negotiation token

func (*NegTokenResp) State 

func (n *NegTokenResp) State() NegState

State returns the negotiation state of the negotiation response.

func (*NegTokenResp) Unmarshal 

func (n *NegTokenResp) Unmarshal(b []byte) error

Unmarshal a Resp/Targ negotiation token

func (*NegTokenResp) Verify 

func (n *NegTokenResp) Verify() (bool, gssapi.Status)

Verify a Resp/Targ negotiation token

type NegTokenTarg 

type NegTokenTarg NegTokenResp

NegTokenTarg implements Negotiation Token of type Resp/Targ

type SPNEGO 

type SPNEGO struct {
	// contains filtered or unexported fields
}

SPNEGO implements the GSS-API mechanism for RFC 4178

func SPNEGOClient 

func SPNEGOClient(cl *client.Client, spn string) *SPNEGO

SPNEGOClient configures the SPNEGO mechanism suitable for client side use.

func SPNEGOService 

func SPNEGOService(kt *keytab.Keytab, options ...func(*service.Settings)) *SPNEGO

SPNEGOService configures the SPNEGO mechanism suitable for service side use.

func (*SPNEGO) AcceptSecContext 

func (s *SPNEGO) AcceptSecContext(ct gssapi.ContextToken) (bool, context.Context, gssapi.Status)

AcceptSecContext is the GSS-API method for the service to verify the context token provided by the client and establish a context.

func (*SPNEGO) AcquireCred 

func (s *SPNEGO) AcquireCred() error

AcquireCred is the GSS-API method to acquire a client credential via Kerberos for SPNEGO.

func (*SPNEGO) InitSecContext 

func (s *SPNEGO) InitSecContext() (gssapi.ContextToken, error)

InitSecContext is the GSS-API method for the client to a generate a context token to the service via Kerberos.

func (*SPNEGO) Log 

func (s *SPNEGO) Log(format string, v ...interface{})

Log will write to the service's logger if it is configured.

func (*SPNEGO) OID 

func (s *SPNEGO) OID() asn1.ObjectIdentifier

OID returns the GSS-API assigned OID for SPNEGO.

type SPNEGOToken 

type SPNEGOToken struct {
	Init         bool
	Resp         bool
	NegTokenInit NegTokenInit
	NegTokenResp NegTokenResp
	// contains filtered or unexported fields
}

SPNEGOToken is a GSS-API context token

func (*SPNEGOToken) Context 

func (s *SPNEGOToken) Context() context.Context

Context returns the SPNEGO context which will contain any verify user identity information.

func (*SPNEGOToken) Marshal 

func (s *SPNEGOToken) Marshal() ([]byte, error)

Marshal SPNEGO context token

func (*SPNEGOToken) Unmarshal 

func (s *SPNEGOToken) Unmarshal(b []byte) error

Unmarshal SPNEGO context token

func (*SPNEGOToken) Verify 

func (s *SPNEGOToken) Verify() (bool, gssapi.Status)

Verify the SPNEGOToken

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.