62 lines
2.4 KiB
Go
62 lines
2.4 KiB
Go
package service
|
|
|
|
import (
|
|
"time"
|
|
|
|
"github.com/jcmturner/gokrb5/v8/credentials"
|
|
"github.com/jcmturner/gokrb5/v8/iana/errorcode"
|
|
"github.com/jcmturner/gokrb5/v8/messages"
|
|
)
|
|
|
|
// VerifyAPREQ verifies an AP_REQ sent to the service. Returns a boolean for if the AP_REQ is valid and the client's principal name and realm.
|
|
func VerifyAPREQ(APReq *messages.APReq, s *Settings) (bool, *credentials.Credentials, error) {
|
|
var creds *credentials.Credentials
|
|
ok, err := APReq.Verify(s.Keytab, s.MaxClockSkew(), s.ClientAddress(), s.KeytabPrincipal())
|
|
if err != nil || !ok {
|
|
return false, creds, err
|
|
}
|
|
|
|
if s.RequireHostAddr() && len(APReq.Ticket.DecryptedEncPart.CAddr) < 1 {
|
|
return false, creds,
|
|
messages.NewKRBError(APReq.Ticket.SName, APReq.Ticket.Realm, errorcode.KRB_AP_ERR_BADADDR, "ticket does not contain HostAddress values required")
|
|
}
|
|
|
|
// Check for replay
|
|
rc := GetReplayCache(s.MaxClockSkew())
|
|
if rc.IsReplay(APReq.Ticket.SName, APReq.Authenticator) {
|
|
return false, creds,
|
|
messages.NewKRBError(APReq.Ticket.SName, APReq.Ticket.Realm, errorcode.KRB_AP_ERR_REPEAT, "replay detected")
|
|
}
|
|
|
|
c := credentials.NewFromPrincipalName(APReq.Authenticator.CName, APReq.Authenticator.CRealm)
|
|
creds = c
|
|
creds.SetAuthTime(time.Now().UTC())
|
|
creds.SetAuthenticated(true)
|
|
creds.SetValidUntil(APReq.Ticket.DecryptedEncPart.EndTime)
|
|
|
|
//PAC decoding
|
|
if !s.disablePACDecoding {
|
|
isPAC, pac, err := APReq.Ticket.GetPACType(s.Keytab, s.KeytabPrincipal(), s.Logger())
|
|
if isPAC && err != nil {
|
|
return false, creds, err
|
|
}
|
|
if isPAC {
|
|
// There is a valid PAC. Adding attributes to creds
|
|
creds.SetADCredentials(credentials.ADCredentials{
|
|
GroupMembershipSIDs: pac.KerbValidationInfo.GetGroupMembershipSIDs(),
|
|
LogOnTime: pac.KerbValidationInfo.LogOnTime.Time(),
|
|
LogOffTime: pac.KerbValidationInfo.LogOffTime.Time(),
|
|
PasswordLastSet: pac.KerbValidationInfo.PasswordLastSet.Time(),
|
|
EffectiveName: pac.KerbValidationInfo.EffectiveName.Value,
|
|
FullName: pac.KerbValidationInfo.FullName.Value,
|
|
UserID: int(pac.KerbValidationInfo.UserID),
|
|
PrimaryGroupID: int(pac.KerbValidationInfo.PrimaryGroupID),
|
|
LogonServer: pac.KerbValidationInfo.LogonServer.Value,
|
|
LogonDomainName: pac.KerbValidationInfo.LogonDomainName.Value,
|
|
LogonDomainID: pac.KerbValidationInfo.LogonDomainID.String(),
|
|
})
|
|
}
|
|
}
|
|
return true, creds, nil
|
|
}
|