Documentation

Overview

    Package spnego implements the Simple and Protected GSSAPI Negotiation Mechanism for Kerberos authentication.

    Index

    Constants

    View Source
    const (
    
    	// CTXKeyAuthenticated is the request context key holding a boolean indicating if the request has been authenticated.
    	CTXKeyAuthenticated ctxKey = "github.com/jcmturner/gokrb5/CTXKeyAuthenticated"
    	// CTXKeyCredentials is the request context key holding the credentials gopkg.in/jcmturner/goidentity.v2/Identity object.
    	CTXKeyCredentials ctxKey = "github.com/jcmturner/gokrb5/CTXKeyCredentials"
    	// HTTPHeaderAuthRequest is the header that will hold authn/z information.
    	HTTPHeaderAuthRequest = "Authorization"
    	// HTTPHeaderAuthResponse is the header that will hold SPNEGO data from the server.
    	HTTPHeaderAuthResponse = "WWW-Authenticate"
    	// HTTPHeaderAuthResponseValueKey is the key in the auth header for SPNEGO.
    	HTTPHeaderAuthResponseValueKey = "Negotiate"
    	// UnauthorizedMsg is the message returned in the body when authentication fails.
    	UnauthorizedMsg = "Unauthorised.\n"
    )
    View Source
    const (
    	TOK_ID_KRB_AP_REQ = "0100"
    	TOK_ID_KRB_AP_REP = "0200"
    	TOK_ID_KRB_ERROR  = "0300"
    )

      GSSAPI KRB5 MechToken IDs.

      Variables

      This section is empty.

      Functions

      func SPNEGOKRB5Authenticate

      func SPNEGOKRB5Authenticate(inner http.Handler, kt *keytab.Keytab, settings ...func(*service.Settings)) http.Handler

        SPNEGOKRB5Authenticate is a Kerberos SPNEGO authentication HTTP handler wrapper.

        func SetSPNEGOHeader

        func SetSPNEGOHeader(cl *client.Client, r *http.Request, spn string) error

          SetSPNEGOHeader gets the service ticket and sets it as the SPNEGO authorization header on HTTP request object. To auto generate the SPN from the request object pass a null string "".

          func UnmarshalNegToken

          func UnmarshalNegToken(b []byte) (bool, interface{}, error)

            UnmarshalNegToken umarshals and returns either a NegTokenInit or a NegTokenResp.

            The boolean indicates if the response is a NegTokenInit. If error is nil and the boolean is false the response is a NegTokenResp.

            Types

            type Client

            type Client struct {
            	*http.Client
            	// contains filtered or unexported fields
            }

              Client will negotiate authentication with a server using SPNEGO.

              func NewClient

              func NewClient(krb5Cl *client.Client, httpCl *http.Client, spn string) *Client

                NewClient returns an SPNEGO enabled HTTP client.

                func (*Client) Do

                func (c *Client) Do(req *http.Request) (resp *http.Response, err error)

                  Do is the SPNEGO enabled HTTP client's equivalent of the http.Client's Do method.

                  func (*Client) Get

                  func (c *Client) Get(url string) (resp *http.Response, err error)

                    Get is the SPNEGO enabled HTTP client's equivalent of the http.Client's Get method.

                    func (*Client) Head

                    func (c *Client) Head(url string) (resp *http.Response, err error)

                      Head is the SPNEGO enabled HTTP client's equivalent of the http.Client's Head method.

                      func (*Client) Post

                      func (c *Client) Post(url, contentType string, body io.Reader) (resp *http.Response, err error)

                        Post is the SPNEGO enabled HTTP client's equivalent of the http.Client's Post method.

                        func (*Client) PostForm

                        func (c *Client) PostForm(url string, data url.Values) (resp *http.Response, err error)

                          PostForm is the SPNEGO enabled HTTP client's equivalent of the http.Client's PostForm method.

                          type KRB5Token

                          type KRB5Token struct {
                          	OID asn1.ObjectIdentifier
                          
                          	APReq    messages.APReq
                          	APRep    messages.APRep
                          	KRBError messages.KRBError
                          	// contains filtered or unexported fields
                          }

                            KRB5Token context token implementation for GSSAPI.

                            func NewKRB5TokenAPREQ

                            func NewKRB5TokenAPREQ(cl *client.Client, tkt messages.Ticket, sessionKey types.EncryptionKey, GSSAPIFlags []int, APOptions []int) (KRB5Token, error)

                              NewKRB5TokenAPREQ creates a new KRB5 token with AP_REQ

                              func (*KRB5Token) Context

                              func (m *KRB5Token) Context() context.Context

                                Context returns the KRB5 token's context which will contain any verify user identity information.

                                func (*KRB5Token) IsAPRep

                                func (m *KRB5Token) IsAPRep() bool

                                  IsAPRep tests if the MechToken contains an AP_REP.

                                  func (*KRB5Token) IsAPReq

                                  func (m *KRB5Token) IsAPReq() bool

                                    IsAPReq tests if the MechToken contains an AP_REQ.

                                    func (*KRB5Token) IsKRBError

                                    func (m *KRB5Token) IsKRBError() bool

                                      IsKRBError tests if the MechToken contains an KRB_ERROR.

                                      func (*KRB5Token) Marshal

                                      func (m *KRB5Token) Marshal() ([]byte, error)

                                        Marshal a KRB5Token into a slice of bytes.

                                        func (*KRB5Token) Unmarshal

                                        func (m *KRB5Token) Unmarshal(b []byte) error

                                          Unmarshal a KRB5Token.

                                          func (*KRB5Token) Verify

                                          func (m *KRB5Token) Verify() (bool, gssapi.Status)

                                            Verify a KRB5Token.

                                            type NegState

                                            type NegState int

                                              NegState is a type to indicate the SPNEGO negotiation state.

                                              const (
                                              	NegStateAcceptCompleted  NegState = 0
                                              	NegStateAcceptIncomplete NegState = 1
                                              	NegStateReject           NegState = 2
                                              	NegStateRequestMIC       NegState = 3
                                              )

                                                Negotiation state values.

                                                type NegTokenInit

                                                type NegTokenInit struct {
                                                	MechTypes      []asn1.ObjectIdentifier
                                                	ReqFlags       gssapi.ContextFlags
                                                	MechTokenBytes []byte
                                                	MechListMIC    []byte
                                                	// contains filtered or unexported fields
                                                }

                                                  NegTokenInit implements Negotiation Token of type Init.

                                                  func NewNegTokenInitKRB5

                                                  func NewNegTokenInitKRB5(cl *client.Client, tkt messages.Ticket, sessionKey types.EncryptionKey) (NegTokenInit, error)

                                                    NewNegTokenInitKRB5 creates new Init negotiation token for Kerberos 5

                                                    func (*NegTokenInit) Context

                                                    func (n *NegTokenInit) Context() context.Context

                                                      Context returns the SPNEGO context which will contain any verify user identity information.

                                                      func (*NegTokenInit) Marshal

                                                      func (n *NegTokenInit) Marshal() ([]byte, error)

                                                        Marshal an Init negotiation token

                                                        func (*NegTokenInit) Unmarshal

                                                        func (n *NegTokenInit) Unmarshal(b []byte) error

                                                          Unmarshal an Init negotiation token

                                                          func (*NegTokenInit) Verify

                                                          func (n *NegTokenInit) Verify() (bool, gssapi.Status)

                                                            Verify an Init negotiation token

                                                            type NegTokenResp

                                                            type NegTokenResp struct {
                                                            	NegState      asn1.Enumerated
                                                            	SupportedMech asn1.ObjectIdentifier
                                                            	ResponseToken []byte
                                                            	MechListMIC   []byte
                                                            	// contains filtered or unexported fields
                                                            }

                                                              NegTokenResp implements Negotiation Token of type Resp/Targ

                                                              func (*NegTokenResp) Context

                                                              func (n *NegTokenResp) Context() context.Context

                                                                Context returns the SPNEGO context which will contain any verify user identity information.

                                                                func (*NegTokenResp) Marshal

                                                                func (n *NegTokenResp) Marshal() ([]byte, error)

                                                                  Marshal a Resp/Targ negotiation token

                                                                  func (*NegTokenResp) State

                                                                  func (n *NegTokenResp) State() NegState

                                                                    State returns the negotiation state of the negotiation response.

                                                                    func (*NegTokenResp) Unmarshal

                                                                    func (n *NegTokenResp) Unmarshal(b []byte) error

                                                                      Unmarshal a Resp/Targ negotiation token

                                                                      func (*NegTokenResp) Verify

                                                                      func (n *NegTokenResp) Verify() (bool, gssapi.Status)

                                                                        Verify a Resp/Targ negotiation token

                                                                        type NegTokenTarg

                                                                        type NegTokenTarg NegTokenResp

                                                                          NegTokenTarg implements Negotiation Token of type Resp/Targ

                                                                          type SPNEGO

                                                                          type SPNEGO struct {
                                                                          	// contains filtered or unexported fields
                                                                          }

                                                                            SPNEGO implements the GSS-API mechanism for RFC 4178

                                                                            func SPNEGOClient

                                                                            func SPNEGOClient(cl *client.Client, spn string) *SPNEGO

                                                                              SPNEGOClient configures the SPNEGO mechanism suitable for client side use.

                                                                              func SPNEGOService

                                                                              func SPNEGOService(kt *keytab.Keytab, options ...func(*service.Settings)) *SPNEGO

                                                                                SPNEGOService configures the SPNEGO mechanism suitable for service side use.

                                                                                func (*SPNEGO) AcceptSecContext

                                                                                func (s *SPNEGO) AcceptSecContext(ct gssapi.ContextToken) (bool, context.Context, gssapi.Status)

                                                                                  AcceptSecContext is the GSS-API method for the service to verify the context token provided by the client and establish a context.

                                                                                  func (*SPNEGO) AcquireCred

                                                                                  func (s *SPNEGO) AcquireCred() error

                                                                                    AcquireCred is the GSS-API method to acquire a client credential via Kerberos for SPNEGO.

                                                                                    func (*SPNEGO) InitSecContext

                                                                                    func (s *SPNEGO) InitSecContext() (gssapi.ContextToken, error)

                                                                                      InitSecContext is the GSS-API method for the client to a generate a context token to the service via Kerberos.

                                                                                      func (*SPNEGO) Log

                                                                                      func (s *SPNEGO) Log(format string, v ...interface{})

                                                                                        Log will write to the service's logger if it is configured.

                                                                                        func (*SPNEGO) OID

                                                                                        func (s *SPNEGO) OID() asn1.ObjectIdentifier

                                                                                          OID returns the GSS-API assigned OID for SPNEGO.

                                                                                          type SPNEGOToken

                                                                                          type SPNEGOToken struct {
                                                                                          	Init         bool
                                                                                          	Resp         bool
                                                                                          	NegTokenInit NegTokenInit
                                                                                          	NegTokenResp NegTokenResp
                                                                                          	// contains filtered or unexported fields
                                                                                          }

                                                                                            SPNEGOToken is a GSS-API context token

                                                                                            func (*SPNEGOToken) Context

                                                                                            func (s *SPNEGOToken) Context() context.Context

                                                                                              Context returns the SPNEGO context which will contain any verify user identity information.

                                                                                              func (*SPNEGOToken) Marshal

                                                                                              func (s *SPNEGOToken) Marshal() ([]byte, error)

                                                                                                Marshal SPNEGO context token

                                                                                                func (*SPNEGOToken) Unmarshal

                                                                                                func (s *SPNEGOToken) Unmarshal(b []byte) error

                                                                                                  Unmarshal SPNEGO context token

                                                                                                  func (*SPNEGOToken) Verify

                                                                                                  func (s *SPNEGOToken) Verify() (bool, gssapi.Status)

                                                                                                    Verify the SPNEGOToken