package spnego
import "github.com/jcmturner/gokrb5/v8/spnego"
Package spnego implements the Simple and Protected GSSAPI Negotiation Mechanism for Kerberos authentication.
Index ¶
- Constants
- func SPNEGOKRB5Authenticate(inner http.Handler, kt *keytab.Keytab, settings ...func(*service.Settings)) http.Handler
- func SetSPNEGOHeader(cl *client.Client, r *http.Request, spn string) error
- func UnmarshalNegToken(b []byte) (bool, interface{}, error)
- type Client
- func NewClient(krb5Cl *client.Client, httpCl *http.Client, spn string) *Client
- func (c *Client) Do(req *http.Request) (resp *http.Response, err error)
- func (c *Client) Get(url string) (resp *http.Response, err error)
- func (c *Client) Head(url string) (resp *http.Response, err error)
- func (c *Client) Post(url, contentType string, body io.Reader) (resp *http.Response, err error)
- func (c *Client) PostForm(url string, data url.Values) (resp *http.Response, err error)
- type KRB5Token
- func NewKRB5TokenAPREQ(cl *client.Client, tkt messages.Ticket, sessionKey types.EncryptionKey, GSSAPIFlags []int, APOptions []int) (KRB5Token, error)
- func (m *KRB5Token) Context() context.Context
- func (m *KRB5Token) IsAPRep() bool
- func (m *KRB5Token) IsAPReq() bool
- func (m *KRB5Token) IsKRBError() bool
- func (m *KRB5Token) Marshal() ([]byte, error)
- func (m *KRB5Token) Unmarshal(b []byte) error
- func (m *KRB5Token) Verify() (bool, gssapi.Status)
- type NegState
- type NegTokenInit
- func NewNegTokenInitKRB5(cl *client.Client, tkt messages.Ticket, sessionKey types.EncryptionKey) (NegTokenInit, error)
- func (n *NegTokenInit) Context() context.Context
- func (n *NegTokenInit) Marshal() ([]byte, error)
- func (n *NegTokenInit) Unmarshal(b []byte) error
- func (n *NegTokenInit) Verify() (bool, gssapi.Status)
- type NegTokenResp
- func (n *NegTokenResp) Context() context.Context
- func (n *NegTokenResp) Marshal() ([]byte, error)
- func (n *NegTokenResp) State() NegState
- func (n *NegTokenResp) Unmarshal(b []byte) error
- func (n *NegTokenResp) Verify() (bool, gssapi.Status)
- type NegTokenTarg
- type SPNEGO
- func SPNEGOClient(cl *client.Client, spn string) *SPNEGO
- func SPNEGOService(kt *keytab.Keytab, options ...func(*service.Settings)) *SPNEGO
- func (s *SPNEGO) AcceptSecContext(ct gssapi.ContextToken) (bool, context.Context, gssapi.Status)
- func (s *SPNEGO) AcquireCred() error
- func (s *SPNEGO) InitSecContext() (gssapi.ContextToken, error)
- func (s *SPNEGO) Log(format string, v ...interface{})
- func (s *SPNEGO) OID() asn1.ObjectIdentifier
- type SPNEGOToken
Constants ¶
const ( // HTTPHeaderAuthRequest is the header that will hold authn/z information. HTTPHeaderAuthRequest = "Authorization" // HTTPHeaderAuthResponse is the header that will hold SPNEGO data from the server. HTTPHeaderAuthResponse = "WWW-Authenticate" // HTTPHeaderAuthResponseValueKey is the key in the auth header for SPNEGO. HTTPHeaderAuthResponseValueKey = "Negotiate" // UnauthorizedMsg is the message returned in the body when authentication fails. = "Unauthorised.\n" )
const ( TOK_ID_KRB_AP_REQ = "0100" TOK_ID_KRB_AP_REP = "0200" TOK_ID_KRB_ERROR = "0300" )
GSSAPI KRB5 MechToken IDs.
Functions ¶
func SPNEGOKRB5Authenticate ¶
func SPNEGOKRB5Authenticate(inner http.Handler, kt *keytab.Keytab, settings ...func(*service.Settings)) http.Handler
SPNEGOKRB5Authenticate is a Kerberos SPNEGO authentication HTTP handler wrapper.
func SetSPNEGOHeader ¶
SetSPNEGOHeader gets the service ticket and sets it as the SPNEGO authorization header on HTTP request object. To auto generate the SPN from the request object pass a null string "".
func UnmarshalNegToken ¶
UnmarshalNegToken umarshals and returns either a NegTokenInit or a NegTokenResp.
The boolean indicates if the response is a NegTokenInit. If error is nil and the boolean is false the response is a NegTokenResp.
Types ¶
type Client ¶
Client will negotiate authentication with a server using SPNEGO.
func NewClient ¶
NewClient returns a SPNEGO enabled HTTP client. Be careful when passing in the *http.Client if it is beginning reused in multiple calls to this function. Ensure reuse of the provided *http.Client is for the same user as a session cookie may have been added to http.Client's cookie jar. Incorrect reuse of the provided *http.Client could lead to access to the wrong user's session.
func (*Client) Do ¶
Do is the SPNEGO enabled HTTP client's equivalent of the http.Client's Do method.
func (*Client) Get ¶
Get is the SPNEGO enabled HTTP client's equivalent of the http.Client's Get method.
func (*Client) Head ¶
Head is the SPNEGO enabled HTTP client's equivalent of the http.Client's Head method.
func (*Client) Post ¶
Post is the SPNEGO enabled HTTP client's equivalent of the http.Client's Post method.
func (*Client) PostForm ¶
PostForm is the SPNEGO enabled HTTP client's equivalent of the http.Client's PostForm method.
type KRB5Token ¶
type KRB5Token struct {
OID asn1.ObjectIdentifier
APReq messages.APReq
APRep messages.APRep
KRBError messages.KRBError
// contains filtered or unexported fields
}
KRB5Token context token implementation for GSSAPI.
func NewKRB5TokenAPREQ ¶
func NewKRB5TokenAPREQ(cl *client.Client, tkt messages.Ticket, sessionKey types.EncryptionKey, GSSAPIFlags []int, APOptions []int) (KRB5Token, error)
NewKRB5TokenAPREQ creates a new KRB5 token with AP_REQ
func (*KRB5Token) Context ¶
Context returns the KRB5 token's context which will contain any verify user identity information.
func (*KRB5Token) IsAPRep ¶
IsAPRep tests if the MechToken contains an AP_REP.
func (*KRB5Token) IsAPReq ¶
IsAPReq tests if the MechToken contains an AP_REQ.
func (*KRB5Token) IsKRBError ¶
IsKRBError tests if the MechToken contains an KRB_ERROR.
func (*KRB5Token) Marshal ¶
Marshal a KRB5Token into a slice of bytes.
func (*KRB5Token) Unmarshal ¶
Unmarshal a KRB5Token.
func (*KRB5Token) Verify ¶
Verify a KRB5Token.
type NegState ¶
type NegState int
NegState is a type to indicate the SPNEGO negotiation state.
const ( NegStateAcceptCompleted NegState = 0 NegStateAcceptIncomplete NegState = 1 NegStateReject NegState = 2 NegStateRequestMIC NegState = 3 )
Negotiation state values.
type NegTokenInit ¶
type NegTokenInit struct {
MechTypes []asn1.ObjectIdentifier
ReqFlags gssapi.ContextFlags
MechTokenBytes []byte
MechListMIC []byte
// contains filtered or unexported fields
}
NegTokenInit implements Negotiation Token of type Init.
func NewNegTokenInitKRB5 ¶
func NewNegTokenInitKRB5(cl *client.Client, tkt messages.Ticket, sessionKey types.EncryptionKey) (NegTokenInit, error)
NewNegTokenInitKRB5 creates new Init negotiation token for Kerberos 5
func (*NegTokenInit) Context ¶
func (n *NegTokenInit) Context() context.Context
Context returns the SPNEGO context which will contain any verify user identity information.
func (*NegTokenInit) Marshal ¶
func (n *NegTokenInit) Marshal() ([]byte, error)
Marshal an Init negotiation token
func (*NegTokenInit) Unmarshal ¶
func (n *NegTokenInit) Unmarshal(b []byte) error
Unmarshal an Init negotiation token
func (*NegTokenInit) Verify ¶
func (n *NegTokenInit) Verify() (bool, gssapi.Status)
Verify an Init negotiation token
type NegTokenResp ¶
type NegTokenResp struct {
NegState asn1.Enumerated
SupportedMech asn1.ObjectIdentifier
ResponseToken []byte
MechListMIC []byte
// contains filtered or unexported fields
}
NegTokenResp implements Negotiation Token of type Resp/Targ
func (*NegTokenResp) Context ¶
func (n *NegTokenResp) Context() context.Context
Context returns the SPNEGO context which will contain any verify user identity information.
func (*NegTokenResp) Marshal ¶
func (n *NegTokenResp) Marshal() ([]byte, error)
Marshal a Resp/Targ negotiation token
func (*NegTokenResp) State ¶
func (n *NegTokenResp) State() NegState
State returns the negotiation state of the negotiation response.
func (*NegTokenResp) Unmarshal ¶
func (n *NegTokenResp) Unmarshal(b []byte) error
Unmarshal a Resp/Targ negotiation token
func (*NegTokenResp) Verify ¶
func (n *NegTokenResp) Verify() (bool, gssapi.Status)
Verify a Resp/Targ negotiation token
type NegTokenTarg ¶
type NegTokenTarg NegTokenResp
NegTokenTarg implements Negotiation Token of type Resp/Targ
type SPNEGO ¶
type SPNEGO struct {
// contains filtered or unexported fields
}
SPNEGO implements the GSS-API mechanism for RFC 4178
func SPNEGOClient ¶
SPNEGOClient configures the SPNEGO mechanism suitable for client side use.
func SPNEGOService ¶
SPNEGOService configures the SPNEGO mechanism suitable for service side use.
func (*SPNEGO) AcceptSecContext ¶
AcceptSecContext is the GSS-API method for the service to verify the context token provided by the client and establish a context.
func (*SPNEGO) AcquireCred ¶
AcquireCred is the GSS-API method to acquire a client credential via Kerberos for SPNEGO.
func (*SPNEGO) InitSecContext ¶
func (s *SPNEGO) InitSecContext() (gssapi.ContextToken, error)
InitSecContext is the GSS-API method for the client to a generate a context token to the service via Kerberos.
func (*SPNEGO) Log ¶
Log will write to the service's logger if it is configured.
func (*SPNEGO) OID ¶
func (s *SPNEGO) OID() asn1.ObjectIdentifier
OID returns the GSS-API assigned OID for SPNEGO.
type SPNEGOToken ¶
type SPNEGOToken struct {
Init bool
Resp bool
NegTokenInit NegTokenInit
NegTokenResp NegTokenResp
// contains filtered or unexported fields
}
SPNEGOToken is a GSS-API context token
func (*SPNEGOToken) Context ¶
func (s *SPNEGOToken) Context() context.Context
Context returns the SPNEGO context which will contain any verify user identity information.
func (*SPNEGOToken) Marshal ¶
func (s *SPNEGOToken) Marshal() ([]byte, error)
Marshal SPNEGO context token
func (*SPNEGOToken) Unmarshal ¶
func (s *SPNEGOToken) Unmarshal(b []byte) error
Unmarshal SPNEGO context token
func (*SPNEGOToken) Verify ¶
func (s *SPNEGOToken) Verify() (bool, gssapi.Status)
Verify the SPNEGOToken
Source Files ¶
http.go krb5Token.go negotiationToken.go spnego.go
- Version
- v8.4.0
- Published
- Jun 14, 2020
- Platform
- js/wasm
- Imports
- 28 packages
- Last checked
- 3 hours ago –
Tools for package owners.