|
| 1 | +package auth |
| 2 | + |
| 3 | +import ( |
| 4 | + "context" |
| 5 | + "encoding/hex" |
| 6 | + "errors" |
| 7 | + "fmt" |
| 8 | + |
| 9 | + "github.com/jcmturner/gofork/encoding/asn1" |
| 10 | + "github.com/jcmturner/gokrb5/v8/asn1tools" |
| 11 | + "github.com/jcmturner/gokrb5/v8/gssapi" |
| 12 | + "github.com/jcmturner/gokrb5/v8/iana/msgtype" |
| 13 | + "github.com/jcmturner/gokrb5/v8/messages" |
| 14 | + "github.com/jcmturner/gokrb5/v8/service" |
| 15 | +) |
| 16 | + |
| 17 | +type ContextKey string |
| 18 | + |
| 19 | +const CtxCredential ContextKey = "spqr/gokrb5/CtxCredential" |
| 20 | + |
| 21 | +// GSSAPI KRB5 MechToken IDs. |
| 22 | +const ( |
| 23 | + TOK_ID_KRB_AP_REQ = "0100" |
| 24 | + TOK_ID_KRB_AP_REP = "0200" |
| 25 | + TOK_ID_KRB_ERROR = "0300" |
| 26 | +) |
| 27 | + |
| 28 | +// KRB5Token context token implementation for GSSAPI. |
| 29 | +type KRB5Token struct { |
| 30 | + OID asn1.ObjectIdentifier |
| 31 | + tokID []byte |
| 32 | + APReq messages.APReq |
| 33 | + APRep messages.APRep |
| 34 | + KRBError messages.KRBError |
| 35 | + settings *service.Settings |
| 36 | + context context.Context |
| 37 | +} |
| 38 | + |
| 39 | +// Marshal a KRB5Token into a slice of bytes. |
| 40 | +func (m *KRB5Token) Marshal() ([]byte, error) { |
| 41 | + // Create the header |
| 42 | + b, _ := asn1.Marshal(m.OID) |
| 43 | + b = append(b, m.tokID...) |
| 44 | + var tb []byte |
| 45 | + var err error |
| 46 | + switch hex.EncodeToString(m.tokID) { |
| 47 | + case TOK_ID_KRB_AP_REQ: |
| 48 | + tb, err = m.APReq.Marshal() |
| 49 | + if err != nil { |
| 50 | + return []byte{}, fmt.Errorf("error marshalling AP_REQ for MechToken: %v", err) |
| 51 | + } |
| 52 | + case TOK_ID_KRB_AP_REP: |
| 53 | + return []byte{}, errors.New("marshal of AP_REP GSSAPI MechToken not supported by gokrb5") |
| 54 | + case TOK_ID_KRB_ERROR: |
| 55 | + return []byte{}, errors.New("marshal of KRB_ERROR GSSAPI MechToken not supported by gokrb5") |
| 56 | + } |
| 57 | + if err != nil { |
| 58 | + return []byte{}, fmt.Errorf("error mashalling kerberos message within mech token: %v", err) |
| 59 | + } |
| 60 | + b = append(b, tb...) |
| 61 | + return asn1tools.AddASNAppTag(b, 0), nil |
| 62 | +} |
| 63 | + |
| 64 | +// Unmarshal a KRB5Token. |
| 65 | +func (m *KRB5Token) Unmarshal(b []byte) error { |
| 66 | + var oid asn1.ObjectIdentifier |
| 67 | + r, err := asn1.UnmarshalWithParams(b, &oid, fmt.Sprintf("application,explicit,tag:%v", 0)) |
| 68 | + if err != nil { |
| 69 | + return fmt.Errorf("error unmarshalling KRB5Token OID: %v", err) |
| 70 | + } |
| 71 | + if !oid.Equal(gssapi.OIDKRB5.OID()) { |
| 72 | + return fmt.Errorf("error unmarshalling KRB5Token, OID is %s not %s", oid.String(), gssapi.OIDKRB5.OID().String()) |
| 73 | + } |
| 74 | + m.OID = oid |
| 75 | + if len(r) < 2 { |
| 76 | + return fmt.Errorf("krb5token too short") |
| 77 | + } |
| 78 | + m.tokID = r[0:2] |
| 79 | + switch hex.EncodeToString(m.tokID) { |
| 80 | + case TOK_ID_KRB_AP_REQ: |
| 81 | + var a messages.APReq |
| 82 | + err = a.Unmarshal(r[2:]) |
| 83 | + if err != nil { |
| 84 | + return fmt.Errorf("error unmarshalling KRB5Token AP_REQ: %v", err) |
| 85 | + } |
| 86 | + m.APReq = a |
| 87 | + case TOK_ID_KRB_AP_REP: |
| 88 | + var a messages.APRep |
| 89 | + err = a.Unmarshal(r[2:]) |
| 90 | + if err != nil { |
| 91 | + return fmt.Errorf("error unmarshalling KRB5Token AP_REP: %v", err) |
| 92 | + } |
| 93 | + m.APRep = a |
| 94 | + case TOK_ID_KRB_ERROR: |
| 95 | + var a messages.KRBError |
| 96 | + err = a.Unmarshal(r[2:]) |
| 97 | + if err != nil { |
| 98 | + return fmt.Errorf("error unmarshalling KRB5Token KRBError: %v", err) |
| 99 | + } |
| 100 | + m.KRBError = a |
| 101 | + } |
| 102 | + return nil |
| 103 | +} |
| 104 | + |
| 105 | +// Verify a KRB5Token. |
| 106 | +func (m *KRB5Token) Verify() (bool, gssapi.Status) { |
| 107 | + switch hex.EncodeToString(m.tokID) { |
| 108 | + case TOK_ID_KRB_AP_REQ: |
| 109 | + ok, creds, err := service.VerifyAPREQ(&m.APReq, m.settings) |
| 110 | + if err != nil { |
| 111 | + return false, gssapi.Status{Code: gssapi.StatusDefectiveToken, Message: err.Error()} |
| 112 | + } |
| 113 | + if !ok { |
| 114 | + return false, gssapi.Status{Code: gssapi.StatusDefectiveCredential, Message: "KRB5_AP_REQ token not valid"} |
| 115 | + } |
| 116 | + m.context = context.Background() |
| 117 | + m.context = context.WithValue(m.context, CtxCredential, creds) |
| 118 | + return true, gssapi.Status{Code: gssapi.StatusComplete} |
| 119 | + case TOK_ID_KRB_AP_REP: |
| 120 | + // Client side |
| 121 | + // TODO how to verify the AP_REP - not yet implemented |
| 122 | + return false, gssapi.Status{Code: gssapi.StatusFailure, Message: "verifying an AP_REP is not currently supported by gokrb5"} |
| 123 | + case TOK_ID_KRB_ERROR: |
| 124 | + if m.KRBError.MsgType != msgtype.KRB_ERROR { |
| 125 | + return false, gssapi.Status{Code: gssapi.StatusDefectiveToken, Message: "KRB5_Error token not valid"} |
| 126 | + } |
| 127 | + return true, gssapi.Status{Code: gssapi.StatusUnavailable} |
| 128 | + } |
| 129 | + return false, gssapi.Status{Code: gssapi.StatusDefectiveToken, Message: "unknown TOK_ID in KRB5 token"} |
| 130 | +} |
| 131 | + |
| 132 | +// IsAPReq tests if the MechToken contains an AP_REQ. |
| 133 | +func (m *KRB5Token) IsAPReq() bool { |
| 134 | + return hex.EncodeToString(m.tokID) == TOK_ID_KRB_AP_REQ |
| 135 | +} |
| 136 | + |
| 137 | +// IsAPRep tests if the MechToken contains an AP_REP. |
| 138 | +func (m *KRB5Token) IsAPRep() bool { |
| 139 | + return hex.EncodeToString(m.tokID) == TOK_ID_KRB_AP_REP |
| 140 | +} |
| 141 | + |
| 142 | +// IsKRBError tests if the MechToken contains an KRB_ERROR. |
| 143 | +func (m *KRB5Token) IsKRBError() bool { |
| 144 | + return hex.EncodeToString(m.tokID) == TOK_ID_KRB_ERROR |
| 145 | +} |
| 146 | + |
| 147 | +// Context returns the KRB5 token's context which will contain any verify user identity information. |
| 148 | +func (m *KRB5Token) Context() context.Context { |
| 149 | + return m.context |
| 150 | +} |
0 commit comments