Documentation ¶
Overview ¶
Package spnego implements the Simple and Protected GSSAPI Negotiation Mechanism for Kerberos authentication.
Index ¶
- Constants
- func SPNEGOKRB5Authenticate(inner http.Handler, kt *keytab.Keytab, settings ...func(*service.Settings)) http.Handler
- func SetSPNEGOHeader(cl *client.Client, r *http.Request, spn string) error
- func UnmarshalNegToken(b []byte) (bool, interface{}, error)
- type Client
- func (c *Client) Do(req *http.Request) (resp *http.Response, err error)
- func (c *Client) Get(url string) (resp *http.Response, err error)
- func (c *Client) Head(url string) (resp *http.Response, err error)
- func (c *Client) Post(url, contentType string, body io.Reader) (resp *http.Response, err error)
- func (c *Client) PostForm(url string, data url.Values) (resp *http.Response, err error)
- type KRB5Token
- type NegState
- type NegTokenInit
- type NegTokenResp
- type NegTokenTarg
- type SPNEGO
- type SPNEGOToken
Constants ¶
const ( // CTXKeyAuthenticated is the request context key holding a boolean indicating if the request has been authenticated. CTXKeyAuthenticated ctxKey = "github.com/0xZDH/gokrb5/CTXKeyAuthenticated" // CTXKeyCredentials is the request context key holding the credentials gopkg.in/jcmturner/goidentity.v2/Identity object. CTXKeyCredentials ctxKey = "github.com/0xZDH/gokrb5/CTXKeyCredentials" // HTTPHeaderAuthRequest is the header that will hold authn/z information. HTTPHeaderAuthRequest = "Authorization" // HTTPHeaderAuthResponse is the header that will hold SPNEGO data from the server. HTTPHeaderAuthResponse = "WWW-Authenticate" // HTTPHeaderAuthResponseValueKey is the key in the auth header for SPNEGO. HTTPHeaderAuthResponseValueKey = "Negotiate" UnauthorizedMsg = "Unauthorised.\n" )
const ( TOK_ID_KRB_AP_REQ = "0100" TOK_ID_KRB_AP_REP = "0200" TOK_ID_KRB_ERROR = "0300" )
GSSAPI KRB5 MechToken IDs.
Variables ¶
This section is empty.
Functions ¶
func SPNEGOKRB5Authenticate ¶
func SPNEGOKRB5Authenticate(inner http.Handler, kt *keytab.Keytab, settings ...func(*service.Settings)) http.Handler
SPNEGOKRB5Authenticate is a Kerberos SPNEGO authentication HTTP handler wrapper.
func SetSPNEGOHeader ¶
SetSPNEGOHeader gets the service ticket and sets it as the SPNEGO authorization header on HTTP request object. To auto generate the SPN from the request object pass a null string "".
func UnmarshalNegToken ¶
UnmarshalNegToken umarshals and returns either a NegTokenInit or a NegTokenResp.
The boolean indicates if the response is a NegTokenInit. If error is nil and the boolean is false the response is a NegTokenResp.
Types ¶
type Client ¶
Client will negotiate authentication with a server using SPNEGO.
func (*Client) Do ¶
Do is the SPNEGO enabled HTTP client's equivalent of the http.Client's Do method.
func (*Client) Get ¶
Get is the SPNEGO enabled HTTP client's equivalent of the http.Client's Get method.
func (*Client) Head ¶
Head is the SPNEGO enabled HTTP client's equivalent of the http.Client's Head method.
type KRB5Token ¶
type KRB5Token struct { OID asn1.ObjectIdentifier APReq messages.APReq APRep messages.APRep KRBError messages.KRBError // contains filtered or unexported fields }
KRB5Token context token implementation for GSSAPI.
func NewKRB5TokenAPREQ ¶
func NewKRB5TokenAPREQ(cl *client.Client, tkt messages.Ticket, sessionKey types.EncryptionKey, GSSAPIFlags []int, APOptions []int) (KRB5Token, error)
NewKRB5TokenAPREQ creates a new KRB5 token with AP_REQ
func (*KRB5Token) Context ¶
Context returns the KRB5 token's context which will contain any verify user identity information.
func (*KRB5Token) IsKRBError ¶
IsKRBError tests if the MechToken contains an KRB_ERROR.
type NegTokenInit ¶
type NegTokenInit struct { MechTypes []asn1.ObjectIdentifier ReqFlags gssapi.ContextFlags MechTokenBytes []byte MechListMIC []byte // contains filtered or unexported fields }
NegTokenInit implements Negotiation Token of type Init.
func NewNegTokenInitKRB5 ¶
func NewNegTokenInitKRB5(cl *client.Client, tkt messages.Ticket, sessionKey types.EncryptionKey) (NegTokenInit, error)
NewNegTokenInitKRB5 creates new Init negotiation token for Kerberos 5
func (*NegTokenInit) Context ¶
func (n *NegTokenInit) Context() context.Context
Context returns the SPNEGO context which will contain any verify user identity information.
func (*NegTokenInit) Marshal ¶
func (n *NegTokenInit) Marshal() ([]byte, error)
Marshal an Init negotiation token
func (*NegTokenInit) Unmarshal ¶
func (n *NegTokenInit) Unmarshal(b []byte) error
Unmarshal an Init negotiation token
type NegTokenResp ¶
type NegTokenResp struct { NegState asn1.Enumerated SupportedMech asn1.ObjectIdentifier ResponseToken []byte MechListMIC []byte // contains filtered or unexported fields }
NegTokenResp implements Negotiation Token of type Resp/Targ
func (*NegTokenResp) Context ¶
func (n *NegTokenResp) Context() context.Context
Context returns the SPNEGO context which will contain any verify user identity information.
func (*NegTokenResp) Marshal ¶
func (n *NegTokenResp) Marshal() ([]byte, error)
Marshal a Resp/Targ negotiation token
func (*NegTokenResp) State ¶
func (n *NegTokenResp) State() NegState
State returns the negotiation state of the negotiation response.
func (*NegTokenResp) Unmarshal ¶
func (n *NegTokenResp) Unmarshal(b []byte) error
Unmarshal a Resp/Targ negotiation token
type NegTokenTarg ¶
type NegTokenTarg NegTokenResp
NegTokenTarg implements Negotiation Token of type Resp/Targ
type SPNEGO ¶
type SPNEGO struct {
// contains filtered or unexported fields
}
SPNEGO implements the GSS-API mechanism for RFC 4178
func SPNEGOClient ¶
SPNEGOClient configures the SPNEGO mechanism suitable for client side use.
func SPNEGOService ¶
SPNEGOService configures the SPNEGO mechanism suitable for service side use.
func (*SPNEGO) AcceptSecContext ¶
AcceptSecContext is the GSS-API method for the service to verify the context token provided by the client and establish a context.
func (*SPNEGO) AcquireCred ¶
AcquireCred is the GSS-API method to acquire a client credential via Kerberos for SPNEGO.
func (*SPNEGO) InitSecContext ¶
func (s *SPNEGO) InitSecContext() (gssapi.ContextToken, error)
InitSecContext is the GSS-API method for the client to a generate a context token to the service via Kerberos.
func (*SPNEGO) OID ¶
func (s *SPNEGO) OID() asn1.ObjectIdentifier
OID returns the GSS-API assigned OID for SPNEGO.
type SPNEGOToken ¶
type SPNEGOToken struct { Init bool Resp bool NegTokenInit NegTokenInit NegTokenResp NegTokenResp // contains filtered or unexported fields }
SPNEGOToken is a GSS-API context token
func (*SPNEGOToken) Context ¶
func (s *SPNEGOToken) Context() context.Context
Context returns the SPNEGO context which will contain any verify user identity information.
func (*SPNEGOToken) Marshal ¶
func (s *SPNEGOToken) Marshal() ([]byte, error)
Marshal SPNEGO context token
func (*SPNEGOToken) Unmarshal ¶
func (s *SPNEGOToken) Unmarshal(b []byte) error
Unmarshal SPNEGO context token