374 lines
13 KiB
Go
374 lines
13 KiB
Go
package spnego
|
|
|
|
import (
|
|
"bytes"
|
|
"encoding/base64"
|
|
"errors"
|
|
"fmt"
|
|
"io"
|
|
"io/ioutil"
|
|
"net"
|
|
"net/http"
|
|
"net/http/cookiejar"
|
|
"net/url"
|
|
"strings"
|
|
|
|
"github.com/jcmturner/gofork/encoding/asn1"
|
|
"github.com/jcmturner/goidentity/v6"
|
|
"github.com/jcmturner/gokrb5/v8/client"
|
|
"github.com/jcmturner/gokrb5/v8/credentials"
|
|
"github.com/jcmturner/gokrb5/v8/gssapi"
|
|
"github.com/jcmturner/gokrb5/v8/keytab"
|
|
"github.com/jcmturner/gokrb5/v8/krberror"
|
|
"github.com/jcmturner/gokrb5/v8/service"
|
|
"github.com/jcmturner/gokrb5/v8/types"
|
|
)
|
|
|
|
// Client side functionality //
|
|
|
|
// Client will negotiate authentication with a server using SPNEGO.
|
|
type Client struct {
|
|
*http.Client
|
|
krb5Client *client.Client
|
|
spn string
|
|
reqs []*http.Request
|
|
}
|
|
|
|
type redirectErr struct {
|
|
reqTarget *http.Request
|
|
}
|
|
|
|
func (e redirectErr) Error() string {
|
|
return fmt.Sprintf("redirect to %v", e.reqTarget.URL)
|
|
}
|
|
|
|
type teeReadCloser struct {
|
|
io.Reader
|
|
io.Closer
|
|
}
|
|
|
|
// NewClient returns a SPNEGO enabled HTTP client.
|
|
// Be careful when passing in the *http.Client if it is beginning reused in multiple calls to this function.
|
|
// Ensure reuse of the provided *http.Client is for the same user as a session cookie may have been added to
|
|
// http.Client's cookie jar.
|
|
// Incorrect reuse of the provided *http.Client could lead to access to the wrong user's session.
|
|
func NewClient(krb5Cl *client.Client, httpCl *http.Client, spn string) *Client {
|
|
if httpCl == nil {
|
|
httpCl = &http.Client{}
|
|
}
|
|
// Add a cookie jar if there isn't one
|
|
if httpCl.Jar == nil {
|
|
httpCl.Jar, _ = cookiejar.New(nil)
|
|
}
|
|
// Add a CheckRedirect function that will execute any functional already defined and then error with a redirectErr
|
|
f := httpCl.CheckRedirect
|
|
httpCl.CheckRedirect = func(req *http.Request, via []*http.Request) error {
|
|
if f != nil {
|
|
err := f(req, via)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
}
|
|
return redirectErr{reqTarget: req}
|
|
}
|
|
return &Client{
|
|
Client: httpCl,
|
|
krb5Client: krb5Cl,
|
|
spn: spn,
|
|
}
|
|
}
|
|
|
|
// Do is the SPNEGO enabled HTTP client's equivalent of the http.Client's Do method.
|
|
func (c *Client) Do(req *http.Request) (resp *http.Response, err error) {
|
|
var body bytes.Buffer
|
|
if req.Body != nil {
|
|
// Use a tee reader to capture any body sent in case we have to replay it again
|
|
teeR := io.TeeReader(req.Body, &body)
|
|
teeRC := teeReadCloser{teeR, req.Body}
|
|
req.Body = teeRC
|
|
}
|
|
resp, err = c.Client.Do(req)
|
|
if err != nil {
|
|
if ue, ok := err.(*url.Error); ok {
|
|
if e, ok := ue.Err.(redirectErr); ok {
|
|
// Picked up a redirect
|
|
e.reqTarget.Header.Del(HTTPHeaderAuthRequest)
|
|
c.reqs = append(c.reqs, e.reqTarget)
|
|
if len(c.reqs) >= 10 {
|
|
return resp, errors.New("stopped after 10 redirects")
|
|
}
|
|
if req.Body != nil {
|
|
// Refresh the body reader so the body can be sent again
|
|
e.reqTarget.Body = ioutil.NopCloser(&body)
|
|
}
|
|
return c.Do(e.reqTarget)
|
|
}
|
|
}
|
|
return resp, err
|
|
}
|
|
if respUnauthorizedNegotiate(resp) {
|
|
err := SetSPNEGOHeader(c.krb5Client, req, c.spn)
|
|
if err != nil {
|
|
return resp, err
|
|
}
|
|
if req.Body != nil {
|
|
// Refresh the body reader so the body can be sent again
|
|
req.Body = ioutil.NopCloser(&body)
|
|
}
|
|
return c.Do(req)
|
|
}
|
|
return resp, err
|
|
}
|
|
|
|
// Get is the SPNEGO enabled HTTP client's equivalent of the http.Client's Get method.
|
|
func (c *Client) Get(url string) (resp *http.Response, err error) {
|
|
req, err := http.NewRequest("GET", url, nil)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
return c.Do(req)
|
|
}
|
|
|
|
// Post is the SPNEGO enabled HTTP client's equivalent of the http.Client's Post method.
|
|
func (c *Client) Post(url, contentType string, body io.Reader) (resp *http.Response, err error) {
|
|
req, err := http.NewRequest("POST", url, body)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
req.Header.Set("Content-Type", contentType)
|
|
return c.Do(req)
|
|
}
|
|
|
|
// PostForm is the SPNEGO enabled HTTP client's equivalent of the http.Client's PostForm method.
|
|
func (c *Client) PostForm(url string, data url.Values) (resp *http.Response, err error) {
|
|
return c.Post(url, "application/x-www-form-urlencoded", strings.NewReader(data.Encode()))
|
|
}
|
|
|
|
// Head is the SPNEGO enabled HTTP client's equivalent of the http.Client's Head method.
|
|
func (c *Client) Head(url string) (resp *http.Response, err error) {
|
|
req, err := http.NewRequest("HEAD", url, nil)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
return c.Do(req)
|
|
}
|
|
|
|
func respUnauthorizedNegotiate(resp *http.Response) bool {
|
|
if resp.StatusCode == http.StatusUnauthorized {
|
|
if resp.Header.Get(HTTPHeaderAuthResponse) == HTTPHeaderAuthResponseValueKey {
|
|
return true
|
|
}
|
|
}
|
|
return false
|
|
}
|
|
|
|
// SetSPNEGOHeader gets the service ticket and sets it as the SPNEGO authorization header on HTTP request object.
|
|
// To auto generate the SPN from the request object pass a null string "".
|
|
func SetSPNEGOHeader(cl *client.Client, r *http.Request, spn string) error {
|
|
if spn == "" {
|
|
h := strings.TrimSuffix(strings.SplitN(r.URL.Host, ":", 2)[0], ".")
|
|
name, err := net.LookupCNAME(h)
|
|
if err == nil {
|
|
// Underlyng canonical name should be used for SPN
|
|
h = strings.TrimSuffix(name, ".")
|
|
}
|
|
spn = "HTTP/" + h
|
|
r.Host = h
|
|
}
|
|
cl.Log("using SPN %s", spn)
|
|
s := SPNEGOClient(cl, spn)
|
|
err := s.AcquireCred()
|
|
if err != nil {
|
|
return fmt.Errorf("could not acquire client credential: %v", err)
|
|
}
|
|
st, err := s.InitSecContext()
|
|
if err != nil {
|
|
return fmt.Errorf("could not initialize context: %v", err)
|
|
}
|
|
nb, err := st.Marshal()
|
|
if err != nil {
|
|
return krberror.Errorf(err, krberror.EncodingError, "could not marshal SPNEGO")
|
|
}
|
|
hs := "Negotiate " + base64.StdEncoding.EncodeToString(nb)
|
|
r.Header.Set(HTTPHeaderAuthRequest, hs)
|
|
return nil
|
|
}
|
|
|
|
// Service side functionality //
|
|
|
|
const (
|
|
// spnegoNegTokenRespKRBAcceptCompleted - The response on successful authentication always has this header. Capturing as const so we don't have marshaling and encoding overhead.
|
|
spnegoNegTokenRespKRBAcceptCompleted = "Negotiate oRQwEqADCgEAoQsGCSqGSIb3EgECAg=="
|
|
// spnegoNegTokenRespReject - The response on a failed authentication always has this rejection header. Capturing as const so we don't have marshaling and encoding overhead.
|
|
spnegoNegTokenRespReject = "Negotiate oQcwBaADCgEC"
|
|
// spnegoNegTokenRespIncompleteKRB5 - Response token specifying incomplete context and KRB5 as the supported mechtype.
|
|
spnegoNegTokenRespIncompleteKRB5 = "Negotiate oRQwEqADCgEBoQsGCSqGSIb3EgECAg=="
|
|
// sessionCredentials is the session value key holding the credentials jcmturner/goidentity/Identity object.
|
|
sessionCredentials = "github.com/jcmturner/gokrb5/v8/sessionCredentials"
|
|
// ctxCredentials is the SPNEGO context key holding the credentials jcmturner/goidentity/Identity object.
|
|
ctxCredentials = "github.com/jcmturner/gokrb5/v8/ctxCredentials"
|
|
// HTTPHeaderAuthRequest is the header that will hold authn/z information.
|
|
HTTPHeaderAuthRequest = "Authorization"
|
|
// HTTPHeaderAuthResponse is the header that will hold SPNEGO data from the server.
|
|
HTTPHeaderAuthResponse = "WWW-Authenticate"
|
|
// HTTPHeaderAuthResponseValueKey is the key in the auth header for SPNEGO.
|
|
HTTPHeaderAuthResponseValueKey = "Negotiate"
|
|
// UnauthorizedMsg is the message returned in the body when authentication fails.
|
|
UnauthorizedMsg = "Unauthorised.\n"
|
|
)
|
|
|
|
// SPNEGOKRB5Authenticate is a Kerberos SPNEGO authentication HTTP handler wrapper.
|
|
func SPNEGOKRB5Authenticate(inner http.Handler, kt *keytab.Keytab, settings ...func(*service.Settings)) http.Handler {
|
|
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
// Set up the SPNEGO GSS-API mechanism
|
|
var spnego *SPNEGO
|
|
h, err := types.GetHostAddress(r.RemoteAddr)
|
|
if err == nil {
|
|
// put in this order so that if the user provides a ClientAddress it will override the one here.
|
|
o := append([]func(*service.Settings){service.ClientAddress(h)}, settings...)
|
|
spnego = SPNEGOService(kt, o...)
|
|
} else {
|
|
spnego = SPNEGOService(kt, settings...)
|
|
spnego.Log("%s - SPNEGO could not parse client address: %v", r.RemoteAddr, err)
|
|
}
|
|
|
|
// Check if there is a session manager and if there is an already established session for this client
|
|
id, err := getSessionCredentials(spnego, r)
|
|
if err == nil && id.Authenticated() {
|
|
// There is an established session so bypass auth and serve
|
|
spnego.Log("%s - SPNEGO request served under session %s", r.RemoteAddr, id.SessionID())
|
|
inner.ServeHTTP(w, goidentity.AddToHTTPRequestContext(&id, r))
|
|
return
|
|
}
|
|
|
|
st, err := getAuthorizationNegotiationHeaderAsSPNEGOToken(spnego, r, w)
|
|
if st == nil || err != nil {
|
|
// response to client and logging handled in function above so just return
|
|
return
|
|
}
|
|
|
|
// Validate the context token
|
|
authed, ctx, status := spnego.AcceptSecContext(st)
|
|
if status.Code != gssapi.StatusComplete && status.Code != gssapi.StatusContinueNeeded {
|
|
spnegoResponseReject(spnego, w, "%s - SPNEGO validation error: %v", r.RemoteAddr, status)
|
|
return
|
|
}
|
|
if status.Code == gssapi.StatusContinueNeeded {
|
|
spnegoNegotiateKRB5MechType(spnego, w, "%s - SPNEGO GSS-API continue needed", r.RemoteAddr)
|
|
return
|
|
}
|
|
|
|
if authed {
|
|
// Authentication successful; get user's credentials from the context
|
|
id := ctx.Value(ctxCredentials).(*credentials.Credentials)
|
|
// Create a new session if a session manager has been configured
|
|
err = newSession(spnego, r, w, id)
|
|
if err != nil {
|
|
return
|
|
}
|
|
spnegoResponseAcceptCompleted(spnego, w, "%s %s@%s - SPNEGO authentication succeeded", r.RemoteAddr, id.UserName(), id.Domain())
|
|
// Add the identity to the context and serve the inner/wrapped handler
|
|
inner.ServeHTTP(w, goidentity.AddToHTTPRequestContext(id, r))
|
|
return
|
|
}
|
|
// If we get to here we have not authenticationed so just reject
|
|
spnegoResponseReject(spnego, w, "%s - SPNEGO Kerberos authentication failed", r.RemoteAddr)
|
|
return
|
|
})
|
|
}
|
|
|
|
func getAuthorizationNegotiationHeaderAsSPNEGOToken(spnego *SPNEGO, r *http.Request, w http.ResponseWriter) (*SPNEGOToken, error) {
|
|
s := strings.SplitN(r.Header.Get(HTTPHeaderAuthRequest), " ", 2)
|
|
if len(s) != 2 || s[0] != HTTPHeaderAuthResponseValueKey {
|
|
// No Authorization header set so return 401 with WWW-Authenticate Negotiate header
|
|
w.Header().Set(HTTPHeaderAuthResponse, HTTPHeaderAuthResponseValueKey)
|
|
http.Error(w, UnauthorizedMsg, http.StatusUnauthorized)
|
|
return nil, errors.New("client did not provide a negotiation authorization header")
|
|
}
|
|
|
|
// Decode the header into an SPNEGO context token
|
|
b, err := base64.StdEncoding.DecodeString(s[1])
|
|
if err != nil {
|
|
err = fmt.Errorf("error in base64 decoding negotiation header: %v", err)
|
|
spnegoNegotiateKRB5MechType(spnego, w, "%s - SPNEGO %v", r.RemoteAddr, err)
|
|
return nil, err
|
|
}
|
|
var st SPNEGOToken
|
|
err = st.Unmarshal(b)
|
|
if err != nil {
|
|
// Check if this is a raw KRB5 context token - issue #347.
|
|
var k5t KRB5Token
|
|
if k5t.Unmarshal(b) != nil {
|
|
err = fmt.Errorf("error in unmarshaling SPNEGO token: %v", err)
|
|
spnegoNegotiateKRB5MechType(spnego, w, "%s - SPNEGO %v", r.RemoteAddr, err)
|
|
return nil, err
|
|
}
|
|
// Wrap it into an SPNEGO context token
|
|
st.Init = true
|
|
st.NegTokenInit = NegTokenInit{
|
|
MechTypes: []asn1.ObjectIdentifier{k5t.OID},
|
|
MechTokenBytes: b,
|
|
}
|
|
}
|
|
return &st, nil
|
|
}
|
|
|
|
func getSessionCredentials(spnego *SPNEGO, r *http.Request) (credentials.Credentials, error) {
|
|
var creds credentials.Credentials
|
|
// Check if there is a session manager and if there is an already established session for this client
|
|
if sm := spnego.serviceSettings.SessionManager(); sm != nil {
|
|
cb, err := sm.Get(r, sessionCredentials)
|
|
if err != nil || cb == nil || len(cb) < 1 {
|
|
return creds, fmt.Errorf("%s - SPNEGO error getting session and credentials for request: %v", r.RemoteAddr, err)
|
|
}
|
|
err = creds.Unmarshal(cb)
|
|
if err != nil {
|
|
return creds, fmt.Errorf("%s - SPNEGO credentials malformed in session: %v", r.RemoteAddr, err)
|
|
}
|
|
return creds, nil
|
|
}
|
|
return creds, errors.New("no session manager configured")
|
|
}
|
|
|
|
func newSession(spnego *SPNEGO, r *http.Request, w http.ResponseWriter, id *credentials.Credentials) error {
|
|
if sm := spnego.serviceSettings.SessionManager(); sm != nil {
|
|
// create new session
|
|
idb, err := id.Marshal()
|
|
if err != nil {
|
|
spnegoInternalServerError(spnego, w, "SPNEGO could not marshal credentials to add to the session: %v", err)
|
|
return err
|
|
}
|
|
err = sm.New(w, r, sessionCredentials, idb)
|
|
if err != nil {
|
|
spnegoInternalServerError(spnego, w, "SPNEGO could not create new session: %v", err)
|
|
return err
|
|
}
|
|
spnego.Log("%s %s@%s - SPNEGO new session (%s) created", r.RemoteAddr, id.UserName(), id.Domain(), id.SessionID())
|
|
}
|
|
return nil
|
|
}
|
|
|
|
// Log and respond to client for error conditions
|
|
|
|
func spnegoNegotiateKRB5MechType(s *SPNEGO, w http.ResponseWriter, format string, v ...interface{}) {
|
|
s.Log(format, v...)
|
|
w.Header().Set(HTTPHeaderAuthResponse, spnegoNegTokenRespIncompleteKRB5)
|
|
http.Error(w, UnauthorizedMsg, http.StatusUnauthorized)
|
|
}
|
|
|
|
func spnegoResponseReject(s *SPNEGO, w http.ResponseWriter, format string, v ...interface{}) {
|
|
s.Log(format, v...)
|
|
w.Header().Set(HTTPHeaderAuthResponse, spnegoNegTokenRespReject)
|
|
http.Error(w, UnauthorizedMsg, http.StatusUnauthorized)
|
|
}
|
|
|
|
func spnegoResponseAcceptCompleted(s *SPNEGO, w http.ResponseWriter, format string, v ...interface{}) {
|
|
s.Log(format, v...)
|
|
w.Header().Set(HTTPHeaderAuthResponse, spnegoNegTokenRespKRBAcceptCompleted)
|
|
}
|
|
|
|
func spnegoInternalServerError(s *SPNEGO, w http.ResponseWriter, format string, v ...interface{}) {
|
|
s.Log(format, v...)
|
|
http.Error(w, "Internal Server Error", http.StatusInternalServerError)
|
|
}
|