Package service provides server side integrations for Kerberos authentication.



    View Source
    const (
    	// CTXKeyAuthenticated is the request context key holding a boolean indicating if the request has been authenticated.
    	CTXKeyAuthenticated ctxKey = 0
    	// CTXKeyCredentials is the request context key holding the credentials jcmturner/goidentity/Identity object.
    	CTXKeyCredentials ctxKey = 1


    This section is empty.


    func SPNEGOKRB5Authenticate

    func SPNEGOKRB5Authenticate(f http.Handler, kt keytab.Keytab, sa string, l *log.Logger) http.Handler

      SPNEGOKRB5Authenticate is a Kerberos SPNEGO authentication HTTP handler wrapper.

      kt - keytab for the service user

      sa - service account name. If Active Directory is used for the KDC this is the account name you have set the SPN against (setspn.exe -a "HTTP/<fqdn>" <account name>) If the SPN was added to the KDC without associating it with an account pass and empty string "". This is the case if you create the SPN in MIT KDC with: /usr/sbin/kadmin.local -q "add_principal HTTP/<fqdn>"

      func ValidateAPREQ

      func ValidateAPREQ(APReq messages.APReq, kt keytab.Keytab, sa string, cAddr string) (bool, credentials.Credentials, error)

        ValidateAPREQ validates an AP_REQ sent to the service. Returns a boolean for if the AP_REQ is valid and the client's principal name and realm.


        type Cache

        type Cache struct {
        	Entries map[string]clientEntries
        	// contains filtered or unexported fields

          Cache for tickets received from clients keyed by fully qualified client name. Used to track replay of tickets.

          func GetReplayCache

          func GetReplayCache(d time.Duration) *Cache

            GetReplayCache returns a pointer to the Cache singleton.

            func (*Cache) AddEntry

            func (c *Cache) AddEntry(sname types.PrincipalName, a types.Authenticator)

              AddEntry adds an entry to the Cache.

              func (*Cache) ClearOldEntries

              func (c *Cache) ClearOldEntries(d time.Duration)

                ClearOldEntries clears entries from the Cache that are older than the duration provided.

                func (*Cache) IsReplay

                func (c *Cache) IsReplay(sname types.PrincipalName, a types.Authenticator) bool

                  IsReplay tests if the Authenticator provided is a replay within the duration defined. If this is not a replay add the entry to the cache for tracking.

                  type KRB5BasicAuthenticator

                  type KRB5BasicAuthenticator struct {
                  	BasicHeaderValue string
                  	ServiceKeytab  *keytab.Keytab
                  	ServiceAccount string
                  	Config         *config.Config
                  	SPN            string
                  	// contains filtered or unexported fields

                    KRB5BasicAuthenticator implements interface. It takes username and password so can be used for basic authentication.

                    func (KRB5BasicAuthenticator) Authenticate

                    func (a KRB5BasicAuthenticator) Authenticate() (i goidentity.Identity, ok bool, err error)

                      Authenticate and return the identity. The boolean indicates if the authentication was successful.

                      func (KRB5BasicAuthenticator) Mechanism

                      func (a KRB5BasicAuthenticator) Mechanism() string

                        Mechanism returns the authentication mechanism.

                        type SPNEGOAuthenticator

                        type SPNEGOAuthenticator struct {
                        	SPNEGOHeaderValue string
                        	Keytab            *keytab.Keytab
                        	ServiceAccount    string
                        	ClientAddr        string

                          SPNEGOAuthenticator implements interface

                          func (SPNEGOAuthenticator) Authenticate

                          func (a SPNEGOAuthenticator) Authenticate() (i goidentity.Identity, ok bool, err error)

                            Authenticate and retrieve a goidentity.Identity. In this case it is a pointer to a credentials.Credentials

                            func (SPNEGOAuthenticator) Mechanism

                            func (a SPNEGOAuthenticator) Mechanism() string

                              Mechanism returns the authentication mechanism.